You may not have heard of the term SOCMINT which emerged a
couple of years ago as the abbreviation for Social Media Intelligence. What has
this to do with Apple iCloud and Celebrities?
Well if you are to believe Apple this is what was used to hack into
celebrity iCloud storage. It appears the
criminals gathered enough online information on these individuals to reset
their passwords and hijack their accounts.
Effectively we have a successful social engineering attack without
manipulating the human. No one rang
Apple, no one rang the celebrities, no eavesdropping in restaurants, no near
contact to clone phones or going through celebrity trash cans. It appears this attack relied totally on intelligence
gathering and analysis of online digital content and perhaps some targeted
phishing emails.
Social engineering of social media, I think I can create a new
acronym - SESM. Checked Google no one has used it before.
How do you stop SESM happening to you? Google, Microsoft and Apple all want you to
use their cloud services, it’s free,
it’s so convenient and you can recover
your device, so “ don’t use it” is not
the practical answer. It is about responsibility for your security. In a foreign country would you hand over your
passport to a complete stranger? Yet when
it comes to our online digital life the lack of physical presence seems to create the belief that it is ok to pass
responsibility for the security to others.
How much did you pay these strangers to do this for you?
Here are some simple strategies to keep
strangers and hackers out of your digital life:
1.
Passwords are important, give
them personality – use special characters or a pass phrase. If a site you are
using does not support them, account lockout hacker tools can automatically run
every word in the dictionary and common password combinations against your
account in only a few hours.
2.
Get in front of a screen with
someone who you have not “friended”, might be a sibling or work colleague.
Get them to look you up on Facebook and
other social sites and see what
they can see as a stranger – you might be surprised. You can then go and fix your security
settings.
3. On social media value your circle of
trust. Do not “friend” anyone you have not met. What they say to you in a
request could be totally false. There is no internet Bro code that states “I
will not make up a social media page and tell lies”. You need to protect
yourself and your friends. If they say they know you through a mutual friend –
ask your friend how they know them
before responding.
4. Would you walk up to a creep on the
street and handover a photo of your smiling face with your home address written
on the back? No, so don’t do it online.
If you upload a photo taken at home or a friend’s house make sure the location/gps
data has been removed.
5. Birth date. You need this for
Facebook so everyone can wish you happy birthday but do you really need to
divulge it on other sites? Most of the
time these sites only want this so they can market to you, it is not adding to
your experience. Limit the amount of personal information you enter on such
sites, just because they ask you don’t have to tell. If you have to enter a
birth date then for example round the year to the nearest decade. If one of these sites is compromised then the
hacker cannot use the birth date to help gain access to your important sites.
6. SMS alerts. Apple has announced it
will strengthen its iCloud account alerting in light of the celebrity hack. If
there is one thing to do as soon as possible it is go to your social media
sites and check that you have SMS alerts turned on for account change requests.
7. Security questions. As appears to
have happened to the celebrities. The questions like - what is your mother’s
maiden name , what city were born in or
what high school did you attend don’t really cut it. Instead
try - what movie star or
singer do you not like? You are more
likely to post or join conversations about things you like rather dislike –
politicians are probably the exception.
8. Phishing emails can look very
legitimate and may be personally addressed. Never respond or open links in unsolicited
email asking you about online account details or that they have something for
you. Just delete them. Only go to your
sites using your browser favourites or app, you can then check if there are any
legitimate messages for you.
Greg Starkey
BDM
www.cqr.com
No comments:
Post a Comment