Security and Apathy
So, I feel obligated to take issue with an apathetic stance on privacy. It is true that privacy is largely a personal responsibility. It's up too each of us, according to the degree of concern, to secure those things we wish to keep private. As part of the EFF and being involved in various projects, either personally or part of work, I hear from users that maintaining a secure posture with regards to privacy and security is difficult. "It's complicated and cumbersome" or "It takes too much time"
The one I distain is: "I've got nothing to hide, why should I care?" While this may be true, you may be a paragon of virtue and obey every law, you still have an exposure to digital risk. The security of banking and credit is laughable. Your social security number, despite promises made when the program was created is a unique identifier that ties directly to you; personally, financially and most frighteningly, your medical records.
There are 3 domains of info that someone needs to destroy your credit and reputation.
- Bio: Who, Where, When. You give these away freely every day.
- Digital: Location, History, Unique ID's. Not given away as much or as freely, but still operationally important and valuable. Your phone is the driving source
- Associations: Who do you hang out with? What do you do together? Where do you go? What social demographic do you more closely tie in with? Social Media is the driving source.
Criminals and State sponsored Operators usually only need info on two of the three domains. If they have your name, and your phone number, they can easily see associations. If a location is combined with your bio, and a glance at Facebook tells them your associations, it is a trivial, academic thing to derive your actions, history and trail of activities.
The rudimentary information outlined above seems to be just that; simple, not expansive or totally useful. But when combined together and analyzed using many of the more modern machine learning algorithms, producing the necessary information to ruin your credit is not only quickly done, but comprehensively done. No one targets an individual unless there is some kind of grudge. Thousands of people are the target. Batch processing and automation gives attackers the ability to steal from thousands at a time. Your medical information is available on a Tor site somewhere, as part of a package of thousands.
If you've ever applied for a job with the US Gov, any entity, big or small, your intel is out there. Granted, this is not an individual OpSec failing, but one born out of institutional laziness and the desire to cut budgets as much as possible. Corporations are no better and often worse with regards to security posture.
Now, I've gone fairly far with regards to personal security posture and arguing against the "I've got nothing to hide" fallacy. My argument is this - Herd immunity solves the majority of security problems. Go gloss over the basics of herd immunity. Replace disease with security failures, and picture the idea of vectors as the three domains I illustrated above. If enough of us maintain a strong enough posture, the process of digitally raping thousand break down. Sure a few slip through the cracks, lose all of their money.
But, I argue that awareness, education, leading by example has taught sweet, little old ladies, that giving out information over the phone, or to door too door salesman is a bad idea. It's happening less and less. Credit can be given to an awareness of the problem, and the speed of information transmission. Regularly, police departments take to social media to warn of grifters.
To say that you're unconcerned, or that it doesn't matter anyway is exactly the kind of intellectual laziness, the apathetic attitude that contributes directly to the problem. Loons that protest against vaccinations, and end up needing them, garner no sympathy from me. Those that don't vote because they don't make a difference, are giving free votes to those they don't want in office.
What can you do? Just as you brush your teeth, or hair - those good habits that make others want to be around you - can be useful to maintain a personal secure posture. Clear your browser history, log off your banking site. Renew credit cards 4 times a year. Shred anything with your name on it that you don't keep. Encrypt email that might give attackers a clue. Do not store your tax returns, social security cards, banking history on your computer unless you use an encrypted drive. 20 minutes alone with your computer, and a screwdriver and I have your information. All good habits require a bit of effort to setup. Don't open email from people you don't know. If you do, most certainly do not open a link or attachment. UCA had a problem with this, just this week. If your company does not regularly do assessments and more importantly spot checks in the form of fake phishing (attempts by cyber to see if users are paying attention) mention it. Your name, address, social and financial info is in your companies DB, somewhere.
Two Factor Auth. Often, my friends make fun of me for having my YubiKey around my neck. It's ok, I'm paranoid - I've been ripped off before. Unless you maintain servers and are responsible for others social media accounts, you don't have to go to that extreme. But, simple Google Authenticator, Last Pass, Duo, something of that nature will prevent a huge number of attacks that succeed on the compromising of simple passwords. Sure, its time consuming to get setup, but you lock your doors right? You check windows and back doors at night. You lock your car and keep valuables out of it. Why is your digital life any different? We've all been screwed by criminals. I was just last year and it was our fault. We assumed, incorrectly, that we were safe.
Unless you spend some time understanding the risks, and taking some measures, you're not safe. State actors, Criminals, Opportunistic corporations looking to make money want you complacent, relaxed and under the delusion that all is well. Hopefully, if you made it this far, you have the barest glimpse of the reality of poor security and apathy.