I’m at the beach staring out to sea. The sun is high, the tide is out, and I’m relaxed.
I glance around and spot a sign on a nearby pole. Free WiFi.
The local council is providing free WiFi for anyone that wants it.
How safe is public WiFi? I’m guessing not very. I Don’t connect. I’m fine with my data plan. I don’t need to save the bytes.
If I did I’d probably use a VPN. And then I couldn’t do any financial transactions over it. Too paranoid.
How secure is free WiFi?
I don’t plan on finding out. Instead I look back out to sea watching the boats on the horizon. I wonder if they have WiFi?
Category: security
Telemetry data
Have you monitored the data flowing in and out of your home network? You can use tools such as port scanners and packet sniffers to see just how noisy the devices are in your home. Whether your printer is calling home to see if there are any firmware updates or your set-top TV boxes are receiving scheduling updates you may be surprised just how much traffic is flowing in and out of your home network without any of your knowledge.
One such type of data that has interested me recently is telemetry data. This is data that operating systems and devices send back to their manufacturer to help them improve their products.
Let’s take Microsoft Windows as an example. It has four levels of telemetry data:
Security to help keep their OS secure.
Basic for everyday use.
Enhanced for how you are using the OS.
Full for collecting as much info as possible.
The worrying thing is they don’t go into much detail about what exactly they are collecting and how this may affect your privacy.
Searching online we learn that the telemetry data should include:
Device specifications and health
App usage and performance
Error reports and crash dumps
Feedback and ratings
Browser history and search queries
Location and activity history
Advertising ID and interests
This data could be used to help them improve their software, but it could also be used to profile you. What software you use, what devices you have, when you are online and from what location, what you are viewing and buying online. All valuable information. To someone.
So are you happy for your devices to send telemetry data?
Thoughts on Infostealers
I’ve been thinking about infostealers. Why? Well I’ve been doing a few ethical hacking challenges recently and when you find an exploit like an LFI, directory traversal, XSS, or some other method of obtaining data from a target you tend to build a playbook of places to look for data. I have a list of configuration file locations based on the target OS, and what appears to be installed (thanks to nmap and whatever the LFI can return).
Infostealers work in a similar way. They are essentially software programs designed to look for patterns: file name extensions such as PDF DOC DOCX etc, files containing bank details (X-digit strings), email addresses, contact books, login credentials, browser history. You get the idea. Depending on the infostealers purpose it will be programmed to look for patterns on each target. Once installed they begin scanning, looking for possible matches. They collate this data then covertly send it back to whomever set the infostealer in motion.
Treat infostealers like any other malicious software: employ a good antimalware strategy. Use a firewall, install good antivirus and antimalware software and keep your sensitive data protected with encryption and 2FA. Keep regular backups and monitor your accounts.
Protect your data.
Data leakage
Data leakage
Our devices and activity are constantly leaking data into the digital ether. What we choose to watch is recorded and reported to a remote server somewhere, along with the make and model of device we are using, the version of firmware it is running, and it’s IP address.
When we shop our loyalty cards and apps record our purchases as does the method of payment. Our modern cars record telematics and track our location via GPS. The in-car entertainment system tracks what we listen to and watch.
Web browsers profile our surfing habits, smartphones track our social and communication history. Smart meters track our utilities and can even tell when no one is home.
All of our smart devices connect to their manufacturer’s command and control center reporting telematics, performance, and usage data.
The photos and videos we take and upload contain metadata that shows where we took the image or video and on what device. We can be tracked via our smartphones right now and going back in time.
All this data leakage is valuable to someone. How much data are you leaking right now?
Short code scams
Short code scams are rife. You receive a text message from an unknown source informing you that you have been opted-in or signed-up to some such service, or you receive an unsolicited text message asking you to reply to this short code.
Your best bet is to delete and ignore them.
Short code scams work by tricking you into responding. Either by messaging the short code or by supplying personal data. The former results in you being charged for a premium service, either one time or repeatedly, and the latter by trying to elicit data such as usernames, passwords, and PIN codes from you, known as smishing.
You can look up short codes at https://www.shortcodes.org/ to see if they are a scam. Although to be honest if you did not initiate or request the message your best bet is just to delete it and not reply or click on any links it may contain. Also flag it as spam if your phone provider offers this service.
Digital thefts of physical assets
It seems hard to imagine that someone can steal your home but it can happen. With everything becoming digital these days proof of ownership is key. In the UK proof of ownership of a property resides with the Land Registry. It maintains a database of all registered properties within the UK along with the names and contact details of their owners.
A criminal using identity theft can assume the identity of a legitimate owner of a property and then either instruct a solicitor to sell it or a lettings agent to rent it out with the proceeds of the sale or rental agreement going to an account set up in the name of the stolen identity. These types of thefts are often targeted at unmortgaged, rented, or unoccupied properties.
To combat this type of fraud property owners can set up an alert for any properties they own with the Land Registry’s free Property Alert service here: https://www.gov.uk/guidance/property-alert
After your home your next biggest asset is probably your car. In the UK proof of ownership is a combination of the V5C document combined with receipts from wherever you purchased the vehicle. Scammers target the V5C by attempting to get you to share a copy of it (for example in order to advertise it for sale online) or by applying for a copy reporting it lost or stolen after cloning your identity or intercepting your communications. You can reduce the chance of this from happening by keeping your V5C safe and secure and not sharing it with anyone. Also keep a copy of all receipts relating to the vehicle to support your proof of ownership.