 |
| Image from Pixabay |
Last
Tuesday I was in the auditorium of a hotel in Venlo. Standing on the presenter’s
side in a lecture hall is a bit intimidating, but after four presentations to
groups of colleagues about the risks of their online existence, it fit me like
a glove.
An
important part of those risks has to do with your privacy. While you can use
all kinds of apps for free, most apps also do something on their own: they
collect data about you. And they sell that information to advertising companies,
who use this information to create profiles. Your name is not necessarily
linked to this: mobile devices work with an advertising ID that is linked to
your device. Is your privacy well protected by this feature? Meh.
As is
often the case in information security, it is all about who you are, or
sometimes also what you are. Take phishing for example. This can be done in two
ways: the criminals use a dragnet and are fine with whatever they catch, or they
use a spear to catch exactly the one fish they want. For example, because they
know that that person has access to the company's money and is therefore a good
target to receive an email 'from the CEO', stating that he must immediately
transfer a nice amount of money to a certain bank account. This form of
phishing is called spear phishing; you now understand why.
Back
to the advertising world. As we saw, profiles are created for advertising
purposes, but who says those profiles can only be used for that purpose?
Suppose you have a collection of profiles. You could then create a map showing all
the devices in a certain area. You don't know who they belong to, you just see
the advertising IDs. Then you could single out one of those IDs and turn the
question around, so to speak: where has this device been? That may provide a
clue of places where the device is often found. And that in turn offers the
opportunity to find out where someone works and where he lives.
For
most of us, that's not a threat – we're not interesting enough for that. But what
if you’re a criminal and therefore the police are looking for you? By using
information, which is actually intended for placing advertisements, they may be
able to get close to you. Unfortunately, it also works the other way: what if
you’re in law enforcement and you have to deal with criminals that also have
access to that kind of information? Of course either side also needs
specialized software for this. Reputable companies that could make something
like this would probably only supply such a product to law enforcement.
Unfortunately, organized crime is also becoming smarter and moreover, they have
plenty of money to have something like that built. That could be a serious
threat. In the context of personnel care, the Dutch financial crimes unit kindly
requested this blog post on the matter. But of course it can also be relevant
for other colleagues and for people outside our organization.
You
can do something about this quite easily. The advertising ID of your device can
be turned off. This makes you invisible on the map, and your device will not
appear if someone asks the question: which devices are present around this
office building around eight in the morning and five in the afternoon?
Advertising companies such as Google and Meta will inform you that you will
then see 'less relevant' advertising. So what! I brush aside the advertising
for strollers as easily as I would the advertising for running shoes. And remember,
if you also have your private phone in your pocket while at work, you want to
kill the advertising ID on that device as well. Here is a brief description of how to do this in iOS/IpadOS and in Android.
And in this video, John Oliver explains again how trading your data works. The entire video
is interesting; fast forward to 10:10 if you just want to see the part about
phone location.
The
above tips are of course only intended for people on the right side of the law.
It is advisable for criminals not to follow the tips, because that could have
all kinds of unpleasant consequences.
And in the big bad world...
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- America
is leading the way in regulating AI.
[DUTCH]
- The
Netherlands is investing in its own AI language model. [DUTCH]
- Here you can read everything you need for a business case for IAM programs.
- SolarWinds CISO has been charged with fraud.
- dozens of governments have pledged never to give in to ransomware demands.
- you can read the entire statement here.
- Payment is often the easiest solution in the event of a ransomware attack.
- Government sanctions help (somewhat) against ransomware.
- a company like Boeing is undoubtedly a big fish for ransomware criminals.
- the transition to post-quantum cryptography is not at all difficult for many organizations.
- the
judge has convicted an Amersfoort
resident for
creating and distributing a deepfake
video. [DUTCH]
- a botnet is sometimes killed by others than the police.
