Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Mandi Rae: 0:14

Welcome back to the Audit. I am joined here with the whole crew. We are in our third installment of personal information security protection in a modern era. If you joined us last week, Kyle, what did we talk about?

Kyle Rosendahl: 0:30

Yeah, last week we talked about personal data protections as it applies to your personal messaging and emails. So we talked a lot about using an encrypted messenger, using an encrypted email service, and why using some of those free services might not be the best choice for your own personal data privacy out in the cloud.

Eric Brown: 0:51

Kyle, did you know that a cat's nose print is as unique as a human's fingerprint?

Kyle Rosendahl: 1:02

I did not know that. I was wondering where that was going to go so you could. So you could use that for your biometric unlock on your iphone.

Nick Mellem: 1:11

A cat- could use that, yes, for like what would? What would tiktok privacy?

Mandi Rae: 1:15

think about that, oh we're gonna get into that, aren't?

Nick Mellem: 1:19

we, we are well, I don't know, it's a good. Yeah, we're good into it that's a good segue.

Mandi Rae: 1:23

So what are we talking about today?

Kyle Rosendahl: 1:25

Today we're going to be talking about web privacy and kind of browsing habits and things that you can do to protect yourself when you're browsing the web, as well as some kind of social media and, I guess, larger corporation internet conglomerate privacy, data and settings that you can set, and whether you're kind of content with the amount that they're collecting on you and how to see all the stuff that they may or may not have on you.

Mandi Rae: 1:51

Yeah, Sounds interesting.

Kyle Rosendahl: 1:55

So, to start, I know something that Eric and I both talk about a fair amount is to use a VPN when you're browsing, and I think if you listen to really any other podcast out there, they're going to tell you you know, get a VPN. Lots of your internet service providers, your cell providers, they're collecting data on your browsing habits and what you're doing, and so we always like to say you know, if you don't want those pieces of information just to be given over to the ISP or the cell carrier or whoever happens to be sending those packets along for you is to use a reputable VPN service. You know I give this presentation to a lot of people who don't know a ton about technology, so I do like to just kind of talk about an analogy with what a VPN is and what it does, and the one I always use is sending a book or sending war and peace on postcards. If you were to send the postcard to a friend across the United States, wrote out as much as you could of the book on each postcard and sent each one in series to them. A postcard doesn't need an envelope, so the postal carrier, the person at the mailbox who picks it up, anyone on the route between you and the destination, can see the return address, where it's going, and then what's written on it. That's essentially how internet packets work. In a nutshell. A VPN basically puts an envelope around that and gives you a middleman to work with where you write your data down. It goes into the envelope, so only you and the recipient are able to read it, and you use somebody in the middle to route that for you. So instead of sending it directly to your friend, you're sending it to a third party who then forwards it on to your friend, and only you and your friend know what's written on it. So, in a nutshell, that's the analogy I use. I think it's somewhat apt, but we tend to recommend using a VPN for that reason.

Kyle Rosendahl: 3:59

There's a few reputable options out there. I know I use ProtonVPN private internet access. I actually have subscriptions to both, depending on the use case and what I kind of need it for. Reputable options out there, I know I use ProtonVPN private internet access. I actually have subscriptions to both, depending on the use case and what I kind of need it for. They're all. And NordVPN is another one that I know of that people use. They're all pretty good cross-platform. They work on a lot of different platforms Windows, iphone, mac, you name it. They don't store any logs. They encrypt your traffic, they make it more private as it's going across the internet, and then they give you a safe tunnel from which you can use that public wi-fi signal one of the things on that kyle.

Eric Brown: 4:33

Um, that's interesting. You talk about being tracked, right, or how you can protect your your privacy to some extent if you use a VPN and maybe it's another episode, but one of the things, one of the ways that you're tracked, as you mentioned, your ISP is with a super cookie, right? So with a regular cookie that's stored in your browser and we could show that um to maybe later today, the uh ways to block um cookies being stored in your browser or information that's coming from your browser, ways to block that. But the super cookie you don't have any control of, that's injected by your isp and your ISP is building that essentially database of information on you that then could be sold to other third parties. So by using a VPN, you're essentially bypassing your ISP's ability to set those super cookies about you, because all they see is that encrypted tunnel.

Kyle Rosendahl: 5:51

Yeah, exactly yeah. And then I mean beyond just the privacy of it. Again, I put this on the slide just as a bonus feature. Right, if you're using a service like Netflix or Hulu or something that some people might not know Netflix has a different library of shows in the UK and Canada than they do in the United States. You can use a VPN and make it look as though you're coming from that side of the world and get different content on those platforms as well as you sign in. So a little extra bonus tip that most people don't know.

Mandi Rae: 6:28

Just in case you want to watch the British version of the Office.

Kyle Rosendahl: 6:32

JOHN MUELLER JR. Exactly, yeah, moving from VPN and keeping your browsing private to your web passwords. I think a lot of us know quite a bit about web passwords and we touched on have I been pwned? Two weeks ago, I believe, and in this case, you know, one of the things that a lot of people tend to do is they'll use their browser as their password manager and a lot of websites. After you type in a new password, you'll get the pop-up from Google Chrome or Firefox or whatever browser you're using, and it will say do you want us to save that password for you? Just in short, you know, I think all of us in the security field would say don't do that right.

Kyle Rosendahl: 7:16

Those passwords that are stored in your browser are a lot easier to extract. They can grab those, crack those, you know, use cookies and other things that hook into the browser to pull that data out and it can cause a lot of issues. And if you use similar passwords or even the same password across sites, you know that single breached password from storing it in your browser could lead to whole other problems. So you know, step one we like to talk about and we showed this off is that have I been pwned, you know it'll tell you if you've been a part of a breach and give you an idea of where you need to change your passwords. Or if you're using similar passwords, you know, get rid of those and step two after that. Once you change those passwords, we recommend using a password manager.

Kyle Rosendahl: 8:05

Personally, I use one password, but there's a whole slew of them out there that you could use. I know a lot of us here like Bitwarden as well. These are all kind of your commercial grade ones, but you create one very strong master password to lock that vault and then inside that you're keeping encrypted versions of those passwords so you can make more complex passwords and not have to remember 100, 200 entries for any set of websites.

Eric Brown: 8:35

One of the questions that we get asked when we do this presentation from time to time is is a password manager safe, because you're keeping all of your eggs in one basket. Well then, what happens if there's a problem with that password manager?

Kyle Rosendahl: 8:56

Right, yeah, and it depends. I mean, lastpass had a breach just two weeks ago here in 2022, mid-september I think and in that case part of the source code was taken and possible access to those password vaults was a potential. With a reputable service, they'll use kind of double-blind encryption so they don't even store the keys to your password vault on their servers. So it's possible that then the attackers could get those encrypted secrets. Once they collect those, they'd have to re-crack all of those and, depending on the encryption standards used, it may be possible, it may be difficult. You know, it just really depends. But you're right, it does cause that kind of all your eggs in one basket. I don't know. What are your thoughts on that? What are everybody's thoughts on that?

Mandi Rae: 9:57

I love working here because I just spotted an Easter egg.

Nick Mellem: 10:04

What was the Easter egg?

Eric Brown: 10:07

The password.

Nick Mellem: 10:12

That's personal to me, Kyle. To answer your question personally, I think it's better to risk all the eggs in one basket versus having the same password for a lot of your logins and weak passwords. What do?

Mandi Rae: 10:28

you guys think about that new feature where it'll enter a custom password for you that it generates, versus you using your own password. What are your thoughts and opinions on that?

Nick Mellem: 10:42

You mean like the Apple service?

Mandi Rae: 10:44

Yeah, that's a great example.

Eric Brown: 10:48

I like the Apple service.

Eric Brown: 10:50

The only challenge with it is if you don't have Safari installed on a browser, right?

Eric Brown: 10:55

So say you go to a public machine or you don't have access, maybe, to your computer or your personal mobile device, you don't have access then to those passwords, whereas with a password manager, like one of these here or other password managers, that those, those keys, are stored online. As long as you had access online, you could you could retrieve that password. So if you're at the library wwwbitwardencom, you could log in and then get your login creds for whatever service you wanted to log into, versus the Safari one or the Apple one, which would require you to either have your device or access to your iCloud account so that you could then load those passwords. But I do think it's a great service that Apple is doing and trying to make it easy for people to have complex passwords and an easy way to get them. Of course, if you do have passwords that are stored there, you can download them and import them into another password manager like one of these they are very complex and you can set the password like in bitwarden.

Eric Brown: 12:27

You can set it to use a passphrase or generate passwords of a certain character length you know if you wanted 16 characters or whatever it was and you can specify capitals or lowercase or numbers or exclude certain alphanumeric characters. So it's pretty highly customizable from that perspective.

Kyle Rosendahl: 12:53

Yeah, I agree. I think just the only downside to it is, for instance, I'll use like a randomly generated one for some of those more secure accounts, so say my bank account. It'll say, hey, you can have a password of, you know, 15 to 64 characters. I'll say, sweet, I'm going to use 64 characters, randomly generated If I ever get in the situation where my copy paste isn't working or I don't have access to my password manager, which is rare. But if I need to get into, say, my bank account and I don't have my manager, I have to type it in manually, right? Typing that 64 character random string is painful, right? Is it going to be harder to crack for somebody?

Mandi Rae: 13:37

probably impossible I was gonna say I don't have enough money for a 64 character password and all the stress that comes with it.

Kyle Rosendahl: 13:44

Yeah, so I mean that's that's.

Eric Brown: 13:47

The only downside is if you get stuck in a situation where you can't copy paste but one of the things I've done for some of the tier one accounts, like a bank account or a credit card, is, in addition to using that randomly generated string for a password, I'll do the same thing for a username.

Eric Brown: 14:09

Right, random string of digits doesn't have to be your email address, because you can associate an email address in the account settings. You know if you forget your password or whatever. But really that username and password in most cases are just representatives of a way to identify you and then the password to access that account. So there's nothing saying that you can't just make up a bunch of random words or letters to use as a username, and as long as you use a password manager, it really doesn't matter. And then for any of the security questions like we've talked about before, just not answering them truthfully. So it's like what was the street you were born on? You know you could put in any sort of answer to that. It doesn't have to be the actual street, because nobody's looking at that but you, yep.

Kyle Rosendahl: 15:10

Yeah. So I mean again password vaults really good To add another layer of security to those. We typically recommend doing multi-factor wherever possible. As Eric was just describing. Some of that knowledge-based authentication can be dangerous to put the true answers into, because anyone with good open source intelligence skills is going to be able to figure out those answers. So thinking about answering those KVA questions less truthfully and then using a either a piece of software like the Microsoft authenticator, lastpass authenticator, okta, whatever it is or a hardware token like a YubiKey or something of that sort, where possible, just gives you that extra. You know something you have to make sure that somebody isn't getting into your account, even if they somehow get a hold of your password and I think most password vaults nowadays even require MFA to get in. So even if that password is breached, unless they're able to spoof that MFA, they're still not getting your passwords, and so they'd have to get those encrypted hashes and crack those. So they'd have to get those encrypted hashes and crack those.

Eric Brown: 16:16

I bet Nick could socially engineer someone to click the accept button on that authenticator. He just has such a demeanor on the phone that it's like he's ordering pizza, but he's really getting creds to the account.

Nick Mellem: 16:37

That would be a great test to do. I think at least I've had it happen to. You know you automatically go change your password, but you'll get a key. They'll come through like a text oh, you're trying to change your password, so yeah it's kind of a situation exactly yeah that happens on my instagram account occasionally yeah, so I mean change your password.

Mandi Rae: 17:02

I do every time because I work with people who give good advice so getting into the more.

Kyle Rosendahl: 17:08

I don't want to say more interesting stuff, but stuff that's more kind of in your face. Um, cookies and trackers and websites. Um, a cookie is essentially just a piece of code that the website will embed in your browser and these things are doing anything from tracking how long you're spending on the page, what you're clicking on, what you're looking at, how long you're spending there, to even being embedded in your browser and watching where you go to after the site, similar to those ISP super cookies that Eric was describing, that follow you from website to website to watch your browsing history and how you do things. So we're going to introduce a few different browser extensions that we all tend to use that can reduce these trackers that get embedded in your browser, delete them as you reload the page or go to a new page, so that, even if they're added, they're only there for a short amount of time and not following you between websites, or even can stop them from being added in the first place if they're not necessary. So a few of the ones that we're going to go over are going to be I think Privacy Badger is one that Nick and I use.

Kyle Rosendahl: 18:19

Ghostry is another very common one that I think Mandy and Eric typically use, and then something like uBlock Origin or AdBlock Plus. Both of them do very similar things, but all of these are they're blocking ads, so you see fewer ads on websites. They're blocking those trackers that follow you between sites. In a lot of cases, they're eliminating the cookies as they're added to your browser or they're stopping them from being added in the first place. So I think we got some hands-on stuff. We're going to kind of show here and talk about this and then talk about socials and conglomerates like Facebook, google I guess Meta now not Facebook and kind of types of data and things that they collect on us and what you can kind of do about that and thoughts on that.

Eric Brown: 19:03

On this one here. These are all, as you were saying, kyle, browser-specific. I think a cool episode to do in the near future would be on maybe some of the network settings that we can do. That then involve DNS, so how you can protect network wide in a home or a business setting. So certainly having these on the browser. But I think we could show just an open network connection to the internet through an ISP and then putting something in place like a Firewalla device with some ad block capabilities on it and we could show what that looks like and how many ads are blocked or could be blocked at the network and DNS level. Yeah, totally.

Mandi Rae: 19:57

Are we ready to check it out?

Eric Brown: 19:59

Sure.

Mandi Rae: 20:00

It's one of Nick's favorite websites.

Nick Mellem: 20:03

Oh cool.

Mandi Rae: 20:04

Here we are, Nick's favorite website. You want to walk us through this, Melom?

Nick Mellem: 20:10

Yeah, let's take a look at the blockers. First, on the ghost tree with the 72. Perfect, so we can see all the different blocks. Click on Detailed View up there and see if it Perfect, so we can see all the trackers that are getting blocked. You can scroll through there. You can see Google, amazon, everybody that's trying to get a piece of this information. So it's a pretty interesting view just to see you know all the different things that are hitting us every day everywhere you go online. Obviously, tmz is going to be worse than you know most, but this is a really good example.

Eric Brown: 20:49

Know most, but this is a really good example as tmz it has a lot, but you know it varies across the web, but we like to use tmz. It's kind of gross, right? It's 72 and a 32 second page load because of the junk on this site, right? Yeah, it's pretty eye opening and then you've got yeah, you got add block plus on there and it's a green thumb because you've got it open now, right, it was paused let's take a look.

Eric Brown: 21:20

15 and then, yeah, if you turned them on same thing with ghost rate, if you turned them on same thing with Ghostry, if you unpaused it and then reloaded the page.

Nick Mellem: 21:33

Yeah, so go hit the refresh page in the top left. Mandy, here we go, so Ghostry will load up again.

Mandi Rae: 21:44

Let's watch them go up.

Nick Mellem: 21:46

Yeah.

Mandi Rae: 21:52

Cool, will load up again. Let's watch them go up. Yeah, cool. Well, I think we kind of showed the value in having these and the amount of ick happening absolutely yeah, and and I think really I mean just to I mean open a discussion here.

Kyle Rosendahl: 22:10

The last piece I think we kind of have to talk about with web browsing is social media and something that I think most everybody, at least in the US, is using and on in some capacity, whether it be Facebook or Twitter or Instagram or Snapchat or TikTok or you know, you name it.

Kyle Rosendahl: 22:31

They're pervasive in how far they go and, beyond that, even other social platforms like YouTube and some of the things owned by Google and the amount of stuff that they're collecting on us and the amount of stuff that they're collecting on us. So I know Eric was looking at his Google profile and how many pieces of data they had on him, both for advertisements and location data, texting information, voice information, anything that feeds into the Google platform, like YouTube, google Pay, and then myself I was looking at the TikTok terms of service recently for a review piece for work and just looking at you know, in plain English, on their privacy policy, all the things that they say, hey, if you use our platform, we're allowed to collect all of this automatically, and here's the stuff you can choose to share with us, right, and it's pretty eye-opening that most people don't think about. So, um, I don't know where we want to start with that if, eric, you want to show google, or if we want to jump over to the the terms of service for tick tock.

Eric Brown: 23:36

But yeah, let's jump into the terms of service for tick tock, because that was really eye-opening yeah, let me just share that here I mean clearly, none of us have tick tock oh just share that here.

Kyle Rosendahl: 23:51

I mean, clearly none of us have tick tock, oh no. But I do know people in the security world that work with us and that I've worked with in the past and that we're at conferences, like defcon right, that use tick tock as a social media platform. So I mean it's it's huge and it's huge with teens and kids.

Kyle Rosendahl: 24:09

So this is on their website, right? This is TikTokcom privacy policy legal. Last updated June 2nd of 2021. So it's a little bit old at this point, but it basically just encompasses you know what information they're collecting. So information you choose to provide, right, that's all that information that you can decide whether you're going to give it to them. Right, you can tell them your age. You choose to tell them a username and a password to sign up for the platform. Right? Your profile information, any of the content that you create, like videos and things like that content, like text, images, video found on the clipboard.

Kyle Rosendahl: 24:53

You know all of these things that they ask you before you provide them, or they make it implicit that you must say you know submit or post, or you know you're making the choice to put that on the platform. Right, that's all of this here. If you're buying something through TikTok, your PayPal information, things like that stuff makes sense Once you get down to here, right? This is where you get to that kind of gray area of you know information we obtained from other sources. There's lots of other web platforms that are doing things like this. You know your social media and login services. So, if you choose to log into TikTok with Facebook or log in with Google or, you know, use your credentials for that purpose. You know they'll collect information from that platform as well about you.

Kyle Rosendahl: 25:40

Third-party services so, again, you know they share analytic information with third parties users of the platform, other sources you know they're doing lots of data mining around all of this, but where it gets really interesting is down here in the information that we automatically collect. Right, where they start to say they're collecting information regarding use of the platform and any other user content you generate or upload through the platform, including device information, right? So your IP address, user agent, which would be, you know, the browser application version you're on, your mobile carrier, so whether you're on AT&T, t-mobile, sprint, cricket, wireless. Right, time zone identifiers for advertising purposes. So they're looking for your age, the model of your device, the operating system, what type of network you're connected to, the id of your device or ids. So what could that be?

Kyle Rosendahl: 26:37

Mac address? A whole number of things, screen resolution, operating system, app and file names. So other things. You have installed keystroke patterns or rhythms, so keyboard information and data not limited to what you're just typing on tiktok, right? Battery state, audio settings, connected audio devices I mean it's everything location data up to you know, precise location, image and audio information.

Eric Brown: 27:06

Yeah, it's literally everything off your phone and this is like you know, when you watch TV and you see a commercial, come up for some sort of medical medicine. You know some sort of medicine and then it lists all of the side effects, right?

Eric Brown: 27:21

things it's gonna make you feel yeah, and this is if you just go back up to that keystroke information, right. So there's a? There's a company that was started here in Minnesota I forget the name of the organization off the top of my head, but they were were doing identity management based on keystrokes. So their claim to fame and I recently just saw an ad for an organization that really took that concept and does continual re-authentication of an identity based on their typing pattern. So, rather than just identifying you when you log into an application or a machine, they're continually re-identifying you through your keystroke patterns. So I knew that the claim of the organization that I was familiar with they could identify your, like who you were as an individual. Because, like if the four of us were logging into something, we each have different keystroke patterns, right, even if we typed exactly the same amount of words per minute, how we do it is different, so they can identify the individual based on that.

Eric Brown: 28:41

But if this is capturing keystroke patterns or rhythms, and this information here, specifically with TikTok, is going over to a nation state entity, right, this is TikTok's, owned by ByteDance, which is a Beijing company. That, in aggregate, becomes pretty scary as we look at the global paradigm of how organizations that don't have the same laws and rules that we do here in the United States interact with this data and potentially could become military adversaries of us at some point in time. Mean we, we see, you know, in our, in our day jobs, we see thousands, if not hundreds of thousands, of attacks coming in from um nation-state actors, uh, some of which are are chinese in origin. Um, so yeah, this just digging into it kind of makes your skin crawl a little bit.

Mandi Rae: 29:51

Even down to the battery state.

Kyle Rosendahl: 29:52

Yeah, that's ridiculous. And to Eric's point about this being for nation state stuff right, if we look at the audio and image information they're gathering. Right, they're saying we're collecting stuff about the images and audio, like identifying objects, scenery, existence and location.

Kyle Rosendahl: 30:09

So basically the pictures where you're taking them, who's in, who you are yeah, exactly, and we're doing this for special video effects or content moderation or demographic classification, right, or non-personally identifying operations in quotation marks, right, and we may collect biometric identifiers and information as defined under us laws, like face prints and voice prints, from your user content, right? So, oh, hey, we're actually also gathering, you know, an image of what your voice sounds like and your face, and we're just sticking those together and now we own it. Right now we know what you look like, what you sound like in all various what you like to watch how can be?

Kyle Rosendahl: 30:50

used where, where you took your fake yeah, and where you took your videos right. Where do you frequent? Where are you taking videos and then, after getting into.

Mandi Rae: 30:59

Who do you hang out with? Where do you go? Yeah, why don't you charge your phone more often?

Nick Mellem: 31:04

well, I think that man, with the battery state thing, I know, like in china, the battery state they actually use as a part of, like, the loan process, because they're basically saying if you drain your battery all the way down, you're less likely to be eligible for a loan than somebody that might keep their phone. It's a. I can send you the article.

Nick Mellem: 31:23

It's in an article about stereotypes about their credit score, about their credit usage program over there, and the battery state is a part of it, and I think that's why that's in here I'd love to see that.

Kyle Rosendahl: 31:39

I think what feels the grossest about this for me is kind of the demographic that it's targeting, which is pre-teens, teens, young adults not even knowing because I think we talked about last time like when you're born with the internet, it's just people don't get it right, and so what they're going to do with that data in the future yeah, and I don't know, maybe I'm not the only one that's had this, but I bring stuff like this to friends who aren't necessarily in information security, right, I used to work a coaching job, coaching swimming and we would sit down at a table after a swim meet and I'd be like, oh you know, when you upload stuff to Facebook and when you go on this social media site, they're collecting all this stuff about you and they're building a profile. And most of the people I talk to are like oh gross. Like don't tell me that, I don't want to know. Like I don't care if they're doing it, I just want to be happy using Facebook, right? Like does that happen to any of you?

Nick Mellem: 32:41

I was going to agree. That's every. Every time I bring it up, they don't care. My wife uses TikTok, my sister loves TikTok, everybody's using it, but I've brought that up multiple times. About what we're looking at now, they just don't want to be bothered with it, they just want to have fun just whipping through TikToks.

Mandi Rae: 33:02

And I have friends who love the education, and then other people who call me a total nerd.

Eric Brown: 33:09

It's kind of that saying, and I forget who said it, but if slaughterhouses had glass walls, everyone would be a vegetarian, and it's the same euphemism here, where, yeah, this is right out in the open on their website. Anybody can read it, but nobody really does, and those that do, um, it maybe is not as a deterrent as we would think it would be it's kind of like the oddest side out of mind, right.

Eric Brown: 33:40

I don't want to think about it or know about it, so I can continue with on my day yeah, I once had somebody say to me, as Kyle, similar to you, where I was talking with friends about password managers, and the person said to me, you know, when we were talking about using a password manager well, you know, I don't really care. If somebody gets into my Pizza Hut account, you know what's the worst that they're going to do order a pizza and using that as an excuse to not maintain separate credentials for different accounts that they log into. So I think we all face those things from time to time. But it really is a good question to ask and at least for people to be thinking about. Well, what are all the ramifications if someone did have access to your Pizza Hut account or your Subway account or whatever it was, and could access that account because you used the same credentials that were previously breached from another restaurateur?

Mandi Rae: 34:57

Next episode we will conclude our series on personal information security in a modern era, talking about personal physical security and credit protection. So please join us again on the audit. Also, if you want to learn more, check out our website at wwwitauditlabscom. We're also on socials. Thanks, guys.

Eric Brown: 35:25

And Mandy, will we have a new cat fact to see, if Kyle knows.

Mandi Rae: 35:32

How about you own cat facts and cat jokes? I'm going to stick in the dad joke area.

Nick Mellem: 35:37

Yeah.

Eric Brown: 35:39

I get them all from Nick, so I get them from Nick's mom.

Mandi Rae: 35:44

I get them from Nick's mom.

Eric Brown: 35:49

IT Audit Labs assesses security, risk and compliance. Our threat assessments find the soft spots before the bad guys do. Whether you are looking for a point solution or a broader security program, contact IT Audit Labs to reduce your organizational risk.