Author Topic: Cyber Security: Cleaning up your online profile  (Read 5053 times)

Offline I.L.W.

  • Dedicated Contributor
  • ******
  • Posts: 1004
  • Karma: 203
Cyber Security: Cleaning up your online profile
« on: May 12, 2016, 06:30:15 PM »
Cyber Security: Cleaning up your online profile

A bit about me:
I do some freelance work helping identity theft victims, those attacked by "cyber-bullies" and other forms of persistent online harassment (known as "trolling").

Just for fun, I picked a couple of prepper friends to see what I could discover about them via public information on the web. It was a LOT. I was just curious how well versed the TSP community was in cyber security. With all the talk of home defense, martial arts etc, online security runs along the same line. Many here are well prepared to take on a burglar who breaks into their home, but most would be caught with their pants down when confronted with an identity thief who they couldn't point a gun at or sick their dog on. And that is a much more likely scenario these days.

I could go on for days about malware, hacking techniques, social engineering tactics etc, but from what I see here, most people just need a basic primer on identity security before we delve into any of that.

I'm also putting this out there because many here have kids and grandkids who have completely eclipsed them in terms of tech knowhow, but are still subject to youthful indiscretions. These techniques can be used to monitor your child's online activity so some snide remark they made in a youtube comment when they were 12 doesn't hurt their job prospects when they're 40 (and it definitely can!). Do you really know if your little girl is twerking on snapchat, or if your son is screaming over Xbox Live obscenities that would get you kicked out of an old-west brothel? Seriously... some of things these kids say make the most deliberately vulgar "Gangsta Rap" sound like the Mormon Tabernacle Choir by comparison.

I just recently helped a parent mitigate the damage of their kid's online activities, which while fairly benign would have been very damaging to them later in life, and it took weeks to clean up what took them hours to create in their online profiles. I'm fearful of what's happening to the kids who's online activities run unchecked for years by parents who don't understand the consequences or know what to look for. If you think that might describe you, please continue reading.

Basic Cyber Security Services

HaveIBeenPwned
https://haveibeenpwned.com/
        This website checks to see if your email address(s) have been included in information which was stolen by hackers in many of the major security breeches, like from Adobe, Target, AshleyMadison, Sony etc. It provides information on what happened, when it happened, and what to do about that specific breech.
Just Delete Me
http://justdelete.me/
        If you have any old accounts which are no longer used (think MySpace), but may contain personal data you would like to have removed, this site will give you instructions on how to delete those accounts, hide information, or provide details on sites which do not allow you to remove your data. For that last reason, this is a good place to start before you make an account with an online service. If they don't allow you to delete your own information, think twice before registering with that service. 
Google Web History
https://history.google.com/history/
        Google knows a lot about you. This page however allows you to control what information they are permitted to collect, how long they can hold it, and allows you to delete information the company has gathered about you.
National Cyber Security Alliance
https://staysafeonline.org/
        Stay Safe Online is a general infromation center, providing details on trending scams, and best-practice information for the general public.
National "Do Not Call" registry
https://www.donotcall.gov/
        This site will remove your phone number from many of the big telemarketer databases within 72 hours. It's not 100% effective, but it reduces the number of people who have your name, address, phone number and email significantly, and pretty quickly.
Network Advertising Initiative
http://www.networkadvertising.org/choices/
        This is a voluntary group of online advertisers who will allow you to opt-out of "targeted advertising" through their companies. This means they won't track you across the web, but you will still see ads from these companies, just not tailored to you.
Google Alerts
http://alerts.google.com
        This is a simple, yet powerful tool. It basically runs a google search everyday for the terms you specify, then emails you the results. If you search for your own email address however, if your data is leaked in an online document dump, you'll see it. You'll see where you have shared that information, or who might be talking about you. Create another alert for your website.

Example: If Jack Spirko wants to know who's talking about TSP, he could create an alert like this:
"The Survival Podcast" OR "thesurvivalpodcast.com" -site:http://thesurvivalpodcast.com
This searches for the survival podcast, omitting results originating from thesurvivalpodcast.com itself. It's strictly what other websites are saying.
Then set the alert to "Daily". Now when someone mentions The Survival Podcast on Facebook or Twitter, references it in their blogs etc, he gets a report on it. You can do this with your business, personal blogs, etc.


If you run a business, you may want to hire a professional "Reputation Management" group. Rates are typically between $100-$300 a year, but they will monitor for mentions of your company. If a competitor is bad-mouthing your business, you'll see it and can respond. If your company has data compromised in a larger hack, you'll be notified. Proper use of the above services will actually accomplish this for free, but it's sometimes better to let a professional dot the "i"s and cross the "T"s.

Next Step: Inbox-Zero
This is when you have cleaned your email and have no unread or undealt-with messages. Let's be honest, you probably have 6 million emails that have never been read. We need to clean that up, not so much to make your inbox more navigable (that's just a nice bonus), but to identify who has your email address and information required to spam you, and take measures to remove that data which they have already abused. This will be a monumental task for most people, my advice is to start with making sure just Today's mail is handled, plus 10 other items. We'll slowly chip away at the backlog if you can do that.

Start by looking for junk mail that keeps recurring from the same senders. These are usually companies sending you promotional information, discount codes etc. Open one from each sender, and check the fine print on the bottom of the email for an "Unsubscribe" link. This will take you off of their mailing list. Now search for all emails from that sender in your inbox, and delete all. Repeat with each of these promo emails.

Next you have spam. These are messages from people you don't know, companies you never gave your email address to etc. Don't Open them, report the spam message and delete them.

File away things you wish to save. For example, I get confirmation emails from Amazon and various seed companies who have shipped items to me. I save the message as a PDF (under the browser's print menu), and save it to my PC, then delete the email. This way, if my email account were ever compromised, there will be no messages containing my home address, phone number, or the last digits of my credit card.

Personal correspondences (which people rarely send via email these days) are left in my account, provided they don't contain sensitive information.

Just look at a message and determine: Save Online, Save Offline, Report as Spam or Unsubscribe. Little by little, you'll get your inbox under control.

Now keep it clean by controlling who you give information to. Everyone these days wants your email address. The Cashier at the grocery store wants it for your discount card. The DMV wants it, the IRS, in some states you can't get a fishing license without providing an email address... This is one situation where saying "Go F*ck Yourself" is an appropriate and socially acceptable response. They're asking for your permission to spam your inbox. When they say "Would you like to receive our newsletter with special offers, sent to your email?" what they really mean is "Our company produces shit, and we'd like you to choke on that shit every day, for the rest of your life. We reserve the right to also force shit upon you from our partners, subsidiaries and affiliates". They don't like spam themselves, the companies asking for it spend tons of money cleaning it off of their own mail servers. They get where you're coming from. Such a response is anticipated, don't back down and surrender your email address to be polite.

Social Networks
It's time to cull the herd. I'm talking about Facebook friends, former co-workers on LinkedIn etc. That kid you knew in High School 20 years ago, who lives in a different state, who you haven't spoken to in years, who was just a friend of a friend really, and you can barely remember their name... drop them. Unfriend.

The girl who you worked with at a burger joint when you were 16 who became a stay-at-home mom while you moved away and became a bank manager; That's not a good business reference on your LinkedIn profile. Everyone will ignore, and probably get so tired of ignoring useless professional relationships in your profile that they'll move on entirely.

Here are some basic statistics. The average person actually knows (on some personal level) about 600 people across their entire lives. The rest are acquaintances who are rapidly forgotten. Of these 600, about 180 are... well... dicks. You know them, but don't really care to interact with them. Social media penetration in the US is about 60% (more for younger people, less for older people). So 60% of the remaining 420 people are actually on social media. Realistically, if you friended everyone you actually knew, who you wanted to communicate with over the course of your entire life, the average person would have 250 contacts. Some very popular people might have more, but some people friend everyone they've ever met. They'll share their lives with 10,000 people. Those people are compulsive attention whores. Don't be one of them. Seriously, if you personally have over 1,000 facebook friends, seek psychiatric help, it's time to get medicated! ;) Most people aren't that bad, they've merely accrued some people in their list who they don't really give a damn about. The brother-in-law's ex-wife... Is that relationship worth your time? Probably not. Ex-Girlfriend's brother? Nope. Bosses wife? She gets the axe too. Obviously you make these judgement calls based on what's important to you.

This is like cleaning out an attic. You find that childhood toy that's really beaten up. It brings back happy memories, but you're never going to play with it again, it's just taking up space, getting dusty. You might hang onto one or two keepsakes, but most of it is destined for the dumpster. That's what you're doing here, but with people. Don't feel guilty, they can still look you up again if they need to get in touch with you.

Why do this? To keep your online social circle small. Data leaks more from the people you know than it does from you personally. The more people you are associated with online, the easier it is to construct an accurate statistical profile of you, even if you're never mentioned by any of them. This is one of the most beneficial security measures you can take, and it's one people always ignore, either for lack of understanding about data collection, or they just feel bad "unfriending" someone. Get over it and be prepared to make some tough calls. In the long run, it will benefit you.

This is different for businesses and organizations. They can have millions of friends on Facebook, that's fine. But keep your professional and personal accounts separate.

Things to consider:

Opinions are bad, lol. I struggle with this one myself, but anything you share online will piss someone off. That's the nature of the internet. Comments you make will persist until the end of time. I've learned that even my own opinions change and evolve over time; what I passionately believe now may be less important to me in the future, and I don't want to be held accountable for those views years down the line. I recently interviewed for a contract job, and was questioned about a response I left on a blog in 2003. People do look at your old posts. Use restraint. Don't post short, quick responses, and wait to reply to someone for a few hours before sending a response. This way emotions can be edited out and logic can prevail in your message. That will be much easier to defend if you must.

You are not anonymous. Period. Even if you use a VPN, Tor, Encryption, never post your real name, use someone else's internet connection... you can be tracked. I'm going to give you a quick example: look at my forum avatar. Search for that in an image comparison search engine and you can see any sites I've also used that avatar on. Between all of these sites, you can piece together a lot of data. That's one technique, there are thousands more. There are statistical patterns to the way you type, common phrases, misuses of punctuation, typing speed, misspellings which can be logged and used to build a profile to identify you across many different sites and accounts, regardless of where in the world you are connecting from. Never assume you are anonymous, you are not.

Hackers don't operate in the dark. 90% of them (which is the low-end figure) are employed by companies, and many of them believe what they are doing is ethical. Yes, the guy in India who calls you and tells you you have a virus and he can remove it for $300... he actually thinks he's doing you a favor. You and I know he's a piece of shit con-man, but he genuinely doesn't, lol. There are legal and ethical differences between nations, cultures, political bodies and economic demographics which really blur the lines more than most people think. You are easier to "hack" than you probably think, but most of the people with the ability and knowledge to do so are not overtly malicious, even if their motives are misguided. People are mostly good, were it not for that fact, we'd all be in a heap of shit over our online identities ;)  Be practical in your identity protection, but not paranoid. Even the "bad guys" aren't all that bad as long as you remain vigilant.

This is by no means the extent of online protection, this is only the most basic stuff which requires no training or specialized tools. If anyone here has issues with "Trolls", "Cyber-Bullies", Identity Thieves etc, feel free to PM me and I can go over some information specific to your problem (free... advice is always free, lol)

I may follow up later with more advanced information. If there are security topics you'd like to know more about, let me know. I can either answer your questions or refer you to someone who is an expert in that specific topic.

Offline 1greenman

  • Survivor
  • ***
  • Posts: 174
  • Karma: 4
  • New TSP Forum member
    • The Healthy Family Variety Channel
Re: Cyber Security: Cleaning up your online profile
« Reply #1 on: May 12, 2016, 09:09:16 PM »
I try to keep a measure of OPSEC on our YouTube channel. If you ever see any redflags or dangerous goods that we make, you'll let me know!?

Peace

Online FreeLancer

  • Global Moderator
  • Survival Veteran
  • ******
  • Posts: 6129
  • Karma: 772
Re: Cyber Security: Cleaning up your online profile
« Reply #2 on: May 12, 2016, 09:54:44 PM »
:popcorn:

Offline I.L.W.

  • Dedicated Contributor
  • ******
  • Posts: 1004
  • Karma: 203
Re: Cyber Security: Cleaning up your online profile
« Reply #3 on: May 12, 2016, 11:14:43 PM »
Quote
I try to keep a measure of OPSEC on our YouTube channel. If you ever see any redflags or dangerous goods that we make, you'll let me know!?

No problem ;)

Your youtube channel doesn't have any big issues (none that I would worry about). In theory, it could be used to ascertain your identity (name, address, location, phone numbers etc), but it would take considerable amounts of time. The people who would spend that time are people with a personal vendetta, which means they would already likely know that stuff... Random people online usually won't go to such lengths.

If you really ticked off a hacking group and they decided to Doxx you, there are some flaws which they could exploit using your YouTube channel, but they are minor. Those groups also like higher profile targets, I wouldn't seriously concern myself with that scenario until you reach a million followers.

YouTube is also not the most fertile ground for identity theft. If I was going after someone maliciously, I'd start gathering details on their friends and family via Facebook. Next stop would be job-hunter databases (used by recruitment agencies and corporate head-hunters), as they're always poorly secured and contain things like applications and resumes which give me a life story to work with.

The real issue with YouTube is content control. You've probably heard about viral videos of celebrity melt-downs... Alec Baldwin, Charlie Sheen etc. Don't make that kind of video, lol. As for kids, watch the content they upload and make sure it's appropriate.

A few examples I've encountered of bad videos:

A kid who went on a rant about what an ass his teacher was. It was hilarious, amassed quite a few views, and the school had to take action as every kid in the school had seen it. There were slanderous remarks which could have hurt the teacher's professional future, and it was all around disruptive.

A woman was fired from her job for making a series of "Happy Birthday" videos for her co-workers and emailing the links company-wide. The videos simply wished them a happy birthday in a silly, light-hearted, but work-appropriate way. But  they revealed their actual birthday, which is a big InfoSec violation in any business. Sending a company-wide email that says "happy birthday" will get most people escorted out of an office by security guards.

Another parent needed help with kids bullying their daughter. She uploaded a video which was less than flattering, and classmates did re-mixes of it, dubbing over some different audio, splicing in other video frames to change the context of the video, etc. Some kids will go to extraordinary lengths to be assholes, lol. As soon as a video was taken down, it would be re-posted to a new account, endlessly.

Just ask yourself "Can I share this with my boss, my in-laws, and my kids without any problems?" If the answer is yes, you're in the clear. Looks like you already know this. I don't think you have anything to worry about there. Just keep your content clean and your profile under your control. Don't volunteer too much information, and you'll be just fine.

Offline 1greenman

  • Survivor
  • ***
  • Posts: 174
  • Karma: 4
  • New TSP Forum member
    • The Healthy Family Variety Channel
Re: Cyber Security: Cleaning up your online profile
« Reply #4 on: May 12, 2016, 11:23:27 PM »
Wow, golden information sir!
I appreciate the response.... reassuring, AND gives me some good stuff to think about!

Nice

Offline Cedar

  • ...just aDD water...
  • TSP Supreme Galactic Ant
  • ************
  • Posts: 28429
  • Karma: 1396
  • Dont wait for the storm to pass, dance in the rain
Re: Cyber Security: Cleaning up your online profile
« Reply #5 on: May 13, 2016, 03:00:57 AM »
+1

Cedar

Offline Alan Georges

  • Survival Demonstrator
  • *******
  • Posts: 4589
  • Karma: 210
  • Still trying to reason with hurricane season.
Re: Cyber Security: Cleaning up your online profile
« Reply #6 on: May 13, 2016, 05:36:10 AM »
This is one of those process-over-weekend posts.  Thanks ILW!

Offline I.L.W.

  • Dedicated Contributor
  • ******
  • Posts: 1004
  • Karma: 203
Re: Cyber Security: Cleaning up your online profile
« Reply #7 on: May 13, 2016, 08:49:37 AM »
Don't want to stray too far off topic, but I was asked about the comment that job recruitment websites are insecure. Let me clarify that with an example of how one might exploit that data.

These companies have your name, address, phone number, email address, work history, personal references, social security number, sometimes copies of a driver's license... A lot of juicy info in one place. That makes them a target for identity thieves, and relatively easy to exploit.

Here's one way a hacker might get information from them:

Watch for job postings on any help-wanted website, and when you find a good one, post the most perfect resume for the job. Something to ensure a recruiter will contact you. Once they do, you know who's working that employers account. Which recruitment firm, which agent specifically. They become the target of social engineering. Just call them up pretending to be from their client company and request some resumes to look over. Ask them who they usually deal with, then so as not to draw suspicion, come up with a plausible reason they are talking to you and not the person they've been working with.

                   "Hey Allison, my names John Smith over at Acme Inc. My boss asked me to reach out to you and see if you could help us fill a few positions. He said you're the one to talk to. May I ask, who do you normally work with at my company?"

"William Rodgers"

"Oh... Well, that explains why they have me calling you. Between you and me, I don't think he's going to be with us after Friday... I don't think he knows yet, so if you could keep our conversation here today confidential, I'd rather he find out from the guys upstairs than hearing it second hand."

"Of course"

"To be honest, I've never worked in this capacity before, and I'm not real clear on how you provide us with applicants. Could you walk me through the process?"

they do...

"Here's the situation; we have to lose about 30 people this week, but we're not eliminating the positions. We need immediate replacements for them."

"Wow, what happened?"

"You know, for legal reasons, I can't go into that, but you'll probably see it on the news in a few days. For the time being, we want to keep this as quiet as possible. Besides, right now I'm mostly just hearing rumors, I don't have all the details myself. It's entry level work, no real skill requirement, but we need people fast. Could you FAX me some some of the resumes and applications? We'll actually re-write the job description around the people you send us... then I'm compliant in hiring qualified applicants and my ass is covered. It will also make it an easier sell for the applicant if they feel like their skills are being utilized. Yeah, fax them please, I know. Bill still sees the emails to this department, and I don't want him to know we're conducting interviews for his job. You understand. You can redact email addresses and phone numbers of applicants of course, I don't want to work around you, I just need to get the ball rolling, figure out who we'd like to call for an interview and I'll let you set those up for us if that's ok."

By the end of the day, your fax-to-web account is filled with lots of information, lol.  On the social engineering side, there are a few key elements here:

1) Admit ignorance. Good con-men are not charismatic, they're border-line incompetent, but friendly. When you tell your mark you don't know what you're doing and ask for help, you appeal to their ego. They will volunteer a lot more information.

2) Ask for discretion. Just asking them to keep quiet about your conversation goes a long way toward making sure that happens. You're also giving them power over you, they're in the top-secret circle, knowing something others don't and it feels good. They may gossip about it later, but if it buys you a couple of hours, that's all you need. When they feel like they're in control their guard goes down. If discretion is required, you are vulnerable and they are in control (in their own minds at least). Plus it shows you're trusting them, and a lot of people compulsively return that trust.

3) Go low-tech. Use of a fax machine here instead of email help you remain secure. They're not tipped off like they would be by an email address outside of the corporate domain. This is the same reason check fraud is rising, cashiers these days have never seen a personal check and don't know what to do. You're steering them away from IT and InfoSec policies which might get in your way.

4) Carrot on a stick... You're offering to hire 30 people from them, sight-unseen immediately. They're seeing dollar signs and a way to clear their roster of applicants that are otherwise unmarketable, and they're helping save your ass in the process, which you make it clear you won't forget. They're motivated.



This is one way someone might gain access to a bulk of records. There are many other plausible means of getting this information. You may be able to forego the people in the company directly if you have access to their database. This is a low-tech approach to illustrate how insecure the data really is. You don't need to know anything about databases to follow what's happening here. In the end, you'll get everything you need to be approved for a credit-card in the names of a couple dozen people. Use the info to sign-up for an amazon credit card at checkout, but buy digital items like online gift card which you can resell for cash at a discount. Then you don't need the physical credit card. All the victims know is they get a credit card in the mail, and if and when they activate it, it already has a $50 balance on it, with an account in their name which they don't have access to log into. 

DON'T DO THIS... This is not an instructional piece, lol. This is a real crime with real prison time attached to it, and I've omitted several cautionary steps the con-man would take to not get caught. Followed as described here, you would get caught. But it's important for people to see how data can be exploited, and how easily it can be obtained. A copy & paste resume and a 45 minute phone call a couple of days later, and this person gets easily a couple thousand dollars worth of other people's credit. There are shops setup where con-men in rows of cubicles run this exact scam dozens of times a day.

Ok, so we're WAY off topic here, lol. But there's one key point you need to take away from this example:

The victims here gave their information over to a reputable company, they didn't type it into some malware app or pop-up ad. The data was given to a trusted source. The people who are the keepers of that information (the recruiting agent) is not some shady individual, it's their goodness (the very reason that you would trust them) which is leveraged by exploiting their willingness to help.

This is why you need to keep personal information closely guarded. You might be an excellent judge of character and know who you can trust. But do the people you trust have that same good judgement. If the information is given to a company, can you trust everyone in the company who has or will have access to that information? No. You could never fall for a scam in your life and exercise the best personal judgement, but databases don't exercise any judgement. Once that data's out there, common sense and street-smarts amount to jack-shit. A lot of people have this false sense of security that they can't be conned. They don't need to be conned to find themselves a victim in these cases. Be careful to only give out information when it is absolutely required.

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17112
  • Karma: 380
  • #ImissAmerica
    • Journey to Greener Pastures
Re: Cyber Security: Cleaning up your online profile
« Reply #8 on: May 13, 2016, 05:19:34 PM »
Good job, +1

Offline cidyl

  • Prepper
  • **
  • Posts: 71
  • Karma: 9
  • Newbie TSP Forum member
Re: Cyber Security: Cleaning up your online profile
« Reply #9 on: May 14, 2016, 05:39:03 AM »
Lots here to think about.  +1

Offline Stwood

  • Survival Demonstrator
  • *******
  • Posts: 4253
  • Karma: 66
  • Wut wuz dat Olie?
Re: Cyber Security: Cleaning up your online profile
« Reply #10 on: May 20, 2016, 08:21:14 AM »
 8)