 |
| Image from Pixabay |
It
was one of those rainy Thursday mornings where you have to provide the bright
spots yourself. Well, I got a chance to do just that, because I was on my way
to give a special presentation. Our HR people held the annual Girls Day, for 14
and 15 year old girls from the highschool next door. I was the first male (and
perhaps the oldest) speaker in the history of Girls Day. One thing was clear: I
shouldn't come here with a story about how we do security. My story had to be
about those girls.
I
wanted to show the students something about their digital footprint. And so a
few weeks ago I requested the list of participants and googled the names. You
should have seen their faces when I told them! Wide-eyed, exchanging anxious
looks with their friends. I told them that I was not going to mention any names
and that I would not put anything recognizable on the screen. That reassured them
somewhat. But I did have their full attention.
My
search initially yielded a fairly innocent harvest: there were quite a few
sporty girls, ranging from gymnasts to horse riders (including the horse’s
names). More than half of the girls didn’t show up on Google at all. However,
one particular girl revealed more. She had - probably unintentionally - made
her presentations for the triangular meetings public (triangular meetings are
the modern form of the parents' evening, where the tutor, the parents and the
student get together and the student explains how things are going). I now know
that this student sometimes lacks motivation (well, who doesn't), has attended
different primary schools (someone at the back of the room breathed a sigh of
relief: this isn't me!), likes teacher X but has trouble with their subject and
enjoys the school parties. And a few more things that I left out because they
are too personal.
This
student probably didn't want to give the usual PowerPoint presentation, but
something flashier. Instead she used Prezi, which allows you to create a very
dynamic story. However, all your presentations are public if you use the free
version. Oops. And oh yes, I was able to make the match between teacher X and
the difficult subject because there is a list of all teachers on the school's
website.
Instagram
let me demonstrate that other people also (often unintentionally) reveal
information about you. I looked up the names there too. For one name, there
were three accounts. Which account belonged to the student on my list? The second
account had a follower that was also on my list of names. Bingo! Then I took a
closer look at the followers of that account. There was a company name in
there, which also contained the girl's surname (fictional example: Balloon King
Johnson). It’s a safe bet that this is the student's father or mother. The bio
of that company account also included the street and city name. But no house
number. It was the kind of business you could imagine being based at home. If I
could find that company, I would know where this girl lived.
With
Google Streetview you can virtually walk through a street. And look at the
houses. When I walked through that street mentioned in the account for the
second time and took a good look around me, I found what I was looking for: at
one house, I saw something that was a clear reference to the company (in the
fictional example there would have been a balloon arch at the front door). I told
my audience: “If the letters in your zip code are AL, then this is about you.” You
could have heard a pin drop.
So
what, you might think. But remember: I'm one of the good ones guys. There’s plenty
of scum around who would love to know where a girl like that lives. With my
little finger exercise I demonstrated that the solution often consists of
several puzzle pieces, which you can find in different places. I also told my
audience that I am only an amateur in this field, and with this
video I showed how others, who approach this with a
bit of professionalism, can find out much more about you.
Of
course I threw away the list of names. What remains is the memory of a special
morning in which I hopefully made a number of young people think.
And in the big bad world...
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- healthcare has developed a framework for
red teaming.
[DUTCH]
- Apple warned residents in nearly half of all countries about a sophisticated spyware attack.
- hackers hijacked a TV channel. [DUTCH]
- For a long time, anyone could request the codes of thousands of alarm systems.
[DUTCH]
- Russia is waging a major disinformation campaign to undermine US support for Ukraine.
- the Russians also stole email from the American government.
- Meanwhile, China is hacking the American infrastructure.
- Users of multiple types of D-Link NAS run the risk of malicious people breaking in.
- you certainly don't browse privately in a Google incognito mode.
- it’s quite a problem when hardware contains a vulnerability.
- sometimes ransomware is just a game of bluff poker.
- Many data breaches occur due to cyber attacks. [DUTCH]
- you can now easily check whether you really have a bank employee on the phone. [DUTCH]
No comments:
Post a Comment