We often make sure our homes, vehicles, and valuables are under lock and key. Some install state of the art security systems in their homes. Many of the people in our audience own firearms that they train with regularly so that they are prepared to defend their lives as well as other innocent people around them. Yet the majority of people in the modern age post their entire lives for all to see on social media. Data brokers collect your personally identifiable information (PII), and sell it to anyone willing to pay a couple bucks. Flock cameras watch your every move while out on a walk, or map the route you take to pick up your kids from school every day.
The way to defend against these things is having good operational security, otherwise known as Opsec. Just like physical security, there isn’t just one thing you can do to protect yourself, and you must change your habits to be successful. A shift in mindset is needed; a lifestyle change. Understanding how attackers think and use seemingly unimportant information to manipulate, cheat, and steal is important.
One of my favorite stories to explain how bad actors use this information, is actually a story about one of the good guys. There was a penetration tester (sometimes called an ethical hacker), who was hired to break into the systems of a large company to test their defenses. During a meeting where they were planning the engagement, the CEO of the company said “I’m sure you’ll be able to hack into the company, but you wouldn’t be able to compromise me personally.” The pentester asked if he could try, and included the CEO personally in the scope of the engagement. The CEO agreed confidently saying “You won’t hack me. My personal security is too good.”
Once the engagement started, the pentester started searching the CEO’s name on social media websites, and found his Facebook profile. On that profile, he had made a public post about how excited he was to go on a much needed vacation with his family. In the post the CEO had tagged his wife and his daughter, giving the pentester their names and direct links to their Facebook profiles. A quick look at the wife’s profile revealed the city where they were vacationing. A few minutes later, the pentester had found the instagram account of the CEO’s daughter where she had posted a photo of herself relaxing next to a swimming pool. Looking at Google Earth, he was able to compare the shape of the pool and surrounding architecture to hotels in the city he found from the wife’s profile, and found the exact hotel they were staying at. The city was only a couple hour drive away, so he hopped in his car and started driving.
Once he arrived at the hotel, he had to figure out which room the CEO was staying in. Many hotels will create rotating passwords for their guests. A common way they do this is by using your last name and room number, as was the case with this particular hotel. The pentester sat in the lobby with his laptop trying the CEO’s last name plus a room number until he successfully logged in. Bingo! He had a room on the 3rd floor.
He made his way to the CEO’s room and knocked. No answer. So he called the front desk pretending to be the CEO and very angrily said into the phone “This is Mr. CEO in room 3xx. This is the third time my keycard hasn’t worked. You better send someone up from maintenance to let me into my room right now!”. The employee on the other end apologized, and said someone was on their way. Sure enough, a few minutes later, a housekeeper came and ulocked the door.
Once inside, the pentester noticed the CEO had left his company laptop open and unlocked on the desk in his room with some important financial documents open. He took a few photos and left his business card on the laptop to prove he was there, and left the room making sure to lock the door behind him.
There wasn’t any sort of sophisticated hack, or super-spy techniques used to compromise the CEO. It was simply a few public social media posts, and some clever thinking that allowed the pentester to be successful. Unfortunately, many people give out sensitive information publicly without even thinking that can lead to a compromise. One simple thing the CEO’s family could have changed that would’ve prevented all this from happening (or at least made it much harder), is to wait to post anything about their vacation until after they had returned. “We are on vacation for a week in Las Vegas” means “My house is most likely empty for a week” to a burglar.
Start thinking about your personal information, and things you share publicly from the perspective of a bad actor. Ask yourself: “What could I do to harm myself or what other information could I gather with this information?”. Also, Google yourself. Search your full name plus the town you live in. You might be surprised by what information is just a Google search away.
I hope I have you thinking about the information you share freely more deeply, and how it affects your personal security, privacy, and safety. This is just the first article in a series on personal opsec. I’ll be adding practical guides on how to improve your personal opsec, and make it harder for the bad guys to take advantage of you.
Founder of Minuteman Theory