Cyber Defense Advisors

LOCKING THE BACK DOOR (Pt. 4 of “Why Don’t You Go Dox Yourself?”)

With passwords and MFA out of the way, let’s next look at connected apps or services that are tied to our priority accounts. When you log into other sites on the web through Facebook, Google, or another social account, as well as when you install social media apps or games, you are sharing information about those accounts with those services. This may be as limited as the email address and username on file, or may include much more information like your friends list, contacts, likes/subscriptions, or more.

A well-known example of this data-harvesting method is the Cambridge Analytica story, where installing a social media app opened up access to much more information than users realized. (Note: as mentioned in the linked article, Facebook added protective measures to limit the amount of data available to app developers, but connected accounts can still present a liability if misused.)

LOCKING THE BACK DOOR(S)

With this in mind, look under the Security or Privacy section of each of your account’s settings, and review where you have either used this account to log into a third-party website or allowed access when installing an app. Here are some handy links to some of the most common services to check:

Facebook
Google
Twitter
Instagram
Amazon
Apple
Microsoft

If you aren’t going to use the app again or don’t want to share any details, remove them. Once you’ve checked your accounts, repeat this process with all the apps installed on your phone.

Just like connecting a social account to a third-party game can share information like your contact info and friend’s list, installing an app on your mobile device can share information including your contacts, camera roll and more. Fortunately, mobile OSes have gotten much better at notifying users before installation on what information is shared, so you should be able to see which apps might be nosier than you’re comfortable with.

Finally — and this is really for the nerds and techies out there — check if you have any API (short for “application programming interface”) keys or browser extensions connected to your accounts. API keys are commonly used to let different apps or services “talk” between one another. They let you use services like Zapier or IFTTT to do things like have your Spotify favorites automatically saved to a Google Sheet, or check Weather Underground to send a daily email with the forecast.

Browser extensions let you customize a web browser and integrate services, like quickly clicking to save an article for review on a “read it later” service like Instapaper. Even if you trust the developer when installing these apps, they may pose a risk later on if they are recovered or taken over by an attacker. These “zombie extensions” rely on a broad install base from a legitimate service which can later be misused to gather information or launch attacks by a malicious developer.

A LINK TO YOUR PAST

We’ve made great progress already, and taken steps to help defend your accounts from prying eyes going forward – now it’s time to lock down your previous activities on social media. Rather than enumerate every option on every service, I’ll highlight some common tools and privacy settings you’ll want to check:

See yourself through a stranger’s eyes. You can quickly see what information in a social media profile is visible to someone outside your friends list by opening an incognito/private tab in your web browser and visiting your profile’s page. Some services have more granular tools that will allow you to view as a stranger or even as a specific profile.
Make your past more mysterious. Most social media services have an option to bulk change privacy settings on your previous content, typically listed as something like “Limit Past Posts” (as shown for Facebook below), “Protect Your Posts,” or “Make Private.” You can always re-share pinned content or your favorite posts with the world, but moving that review from an “opt-out” rather than “opt-in” process will give you a huge head start. While we’re in your post settings, change the default setting for your future posts to your social circles by default.

Set clear boundaries. Where supported, taking the time to build sublists/groups for your friends list based on context (work, school, your *shudder* improv group),will make it easier to fine-tune the audience for your future posts. You can set boundaries on what your friends can share about you, including requiring your approval before allowing tags or whether your friend’s friends can search for your profile. And while you’re taking a look at that friends list, ask yourself…
Where do you know them from? You’ve just seen the difference between how much information a friend can see on your profile compared to a friend – which means you want to keep your friends close, and randos the heck out of your business! Don’t be shy about removing contacts you don’t recognize, or asking for context when receiving a new friend request that doesn’t ring a bell.
Don’t contact us, we’ll contact you. When you’re setting up a new profile, odds are you’ve seen a request to share access to your contacts or the option to search for someone by their phone number or email address. You may want to enable this after we dedicate a “public” email address (more on that in just a moment), otherwise you can disable these options as well.

Before moving on to email, I’ll add another plug for the NYT Social Media Security and Privacy Checklists if you, like me, would rather have a series of boxes to mark off while going through each step above.

YOU GOTTA KEEP ‘EM SEPARATED

Security experts know that you can’t erase the possibility of risk, and it can be counterproductive to build a plan to that expectation. What is realistic and achievable is identifying risk so you know what you’re up against, mitigating risk by following security best practices, and isolating risk where possible so that in the event of an incident, one failure doesn’t have a domino effect affecting other resources. If that seems a bit abstract, let’s take a look at a practical example.

Tech journalist Mat Honan was the unlucky victim of a targeted hack, which resulted in a near-complete lockout from his digital life requiring a Herculean effort to recover. Fortunately for us, Mat documented his experience in the Wired story, “How Apple and Amazon Security Flaws Led to My Epic Hacking,” which offers an excellent summary of exactly the type of domino effect I described. I encourage you to read the full article, but for a CliffsNotes version sufficient for our needs here:

The attacker started their research using Honan’s Twitter account, @mat. From there, they found his personal website which included his personal Gmail address.
By entering that email and clicking the “Forgot Your Password” recovery link, the attacker was able to see a partially obscured version of his Apple ID which was used as his secondary email: m****[email protected]. From here it was pretty easy to figure out the full Apple ID.
Now the attacker focused on gaining access to that Apple ID with the knowledge that (at the time) Apple support would validate an account with the billing address and last four digits of the credit card on file. The address was harvested from a WHOIS lookup of his personal site, which searches public registration info available for websites.
The last four digits of the credit card were gathered by exploiting a flaw in Amazon’s tech support, which involved using everything collected so far to add a new card and email to Mat’s account, then using these new “approved” details to reset his Amazon password. From there, it was easy to find the last four digits of the credit card used on previous orders, and a safe guess he likely used the same with Apple.
With both address and digits in hand, the attacker then called Apple Support and used their collected info to gain access to Mat’s Apple ID through a password reset.
Once they got access to this Apple ID, the domino effect really picked up speed. As the iCloud address was the reset email for Google, they were able to gain access there and then use the Google address to reset his Twitter account password. To slow down his attempts to regain access, for good measure they used the Find My Mac feature to remotely wipe and lock his Apple devices making it much harder to reach support.

Honan’s article goes into much more detail, including some of the changes made by the services exploited to prevent similar incidents in the future. The key takeaway is that having a couple of emails without strong authentication tied to all his most important accounts, including the recovery of these email accounts themselves, meant that the compromise of his Amazon account quickly snowballed into something much bigger.

We’re going to learn from that painful lesson, and do some segmentation on our email channels based on the priority and how public we want that account to be. (“Segmentation” is an industry term that can be mostly boiled down to “don’t put all your eggs in one basket”, and keep critical or vulnerable resources separate from each other.) I would suggest setting up a few different emails, listed here from least- to most-public:

Recovery Email: Only used for password resets when a backup address is allowed, and nowhere else.
High-Priority Email: This would include anything with payment, financial, health, or other sensitive information. This email is only used for these sensitive accounts, and I would encourage you to opt out of any sharing/advertisement consent options to minimize its footprint.
Social Email: Think of this as your “calling card” – when you want to be found by a personal contact. For instance, if you wanted the option for your friends to connect their contacts to an account to find friends, this is the address you’d use.
Low-Priority Email: This is for…everywhere else you have to provide an email address for one-time or trivial purposes. Want to sign up for a newsletter, receive coupons/sale notifications, or create an account to reply to someone’s comment on a news website? While you can always use “disposable” email services to create a single-use email account, many websites will block these temp account services from registration and you may someday need to re-access the email you used. For this reason, I recommend setting up a dedicated address. Some email services like Gmail even allow you to create task-specific versions of your email address using a “[email protected]” format. This way, if that tagged email shows up in another message or on another site, you’ve got a good idea who shared your information!

For all of the above, of course, we’ll create strong passwords and set up 2FA. And speaking of 2FA, you can use the same split-channel approach we followed for email to set up a dedicated verification number (using a VOIP service or something like Google Voice) when sending a passcode by SMS is the only option supported. Keeping these recovery numbers separate from your main phone number reduces the risk of them being leaked, sold, or captured in an unrelated breach.

Good news: We’re almost done with doxxing ourselves! In the next section, we’ll sweep out those unused accounts to avoid leaving data-filled loose ends and take a look at how data brokers profit off of your personal information and what you can do to opt-out.

You’ve made it this far so maybe you’re passionate like we are about developing innovative ways to make security accessible. We’d love for you to join our mission.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn