Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Mandi Rae: 0:14

Hello and welcome back to the Audit by IT Audit Labs. My name's Mandy and today I'm joined with Eric, nick and Kyle from IT Audit Labs. We're going to talk about personal information security protection in a modern era. How are you guys today?

Kyle Rosendahl: 0:32

Doing well, thanks, mandy, awesome.

Nick Mellem: 0:33

Hey Mandy.

Kyle Rosendahl: 0:34

Good, hey, mandy.

Mandi Rae: 0:37

So tell us a little bit more about what we're going to dig into.

Eric Brown: 0:41

Yeah, this is an interesting one. We give this talk from time to time to groups of people and even individuals when we do some of our executive security training and there's always more that we could talk about or dive into, and we're usually giving this presentation or these talks to people who aren't security practitioners by and large. So it'll be fun to dive in and just share some anecdotal stories as we go through this with each other and some of the things being security folks that you've run into when you've given the presentation or just in your own research or personal lives.

Mandi Rae: 1:21

And we all know Nick has stories, so I look forward to this.

Eric Brown: 1:27

Is this after dark episode?

Nick Mellem: 1:29

I'll hold those till later.

Mandi Rae: 1:31

Exactly so. Of these topics, this is going to be the first part of a three-part series, so what are we going to dig into today?

Eric Brown: 1:40

I think data protection, email security and maybe messaging security. Let's see how far we get there. We may have some good stories. So hopefully it won't take longer than three episodes, but you never know.

Mandi Rae: 1:55

Sounds good. So, kyle, what is big data? Big data.

Eric Brown: 2:02

Did you have hold on a sec there?

Mandi Rae: 2:04

Sorry, kyle Did you have a dad joke that you wanted to share oh, I do, and um, thank you for bringing that up, because I love dad jokes. What does a baby computer call his father? I have no idea data yeah kyle oh my gosh straight from my dad yeah so let's talk about big daddy that's a good one.

Kyle Rosendahl: 2:34

um yeah, so what is big data? You know, typically when I give this presentation in front of a group of people, usually we're giving it to a set of people that aren't always the most technology literate or aren't necessarily thinking about their personal security and online security in general. So I like to start off talking about big data, and I think this slide here is a good representation of some of the things that go into it. It's kind of a hot button topic in today's day and age, but big data is really kind of the idea that, when it comes to the internet and when it comes to information that we're putting on the internet, all of these things can be tied together in some way to paint kind of a larger picture of you as an individual. So with the right data sets and with the right sets of information about you, someone could kind of paint a picture and they use this to help advertise to you and learn more about you as a consumer.

Mandi Rae: 3:34

typically, which is super scary. It doesn't it feel just entirely creepy.

Eric Brown: 3:40

It does and it's interesting.

Eric Brown: 3:43

Invasive, invasive, super invasive. And some of these companies spread beyond just their Facebook, for example, right Just their individual social media. But they have trackers and collectors that they put out on websites to get information about you and your internet history. And Google does the same thing, but I think they're doing it to build that profile about you that could then be sold for more targeted marketing. But I think that's at the root of it is it's all about money and how to better market products to you so you buy something.

Kyle Rosendahl: 4:33

Typically and I mean, if you go to the next slide, I mean it's a good one just to leave up as well, just with you know what are some examples of things that different applications, different websites, different companies are collecting about you, right, and I think it shows kind of how widespread and pervasive it is, just because you know, it's not just the social media sites, it's also your internet service provider, right, collecting information on what websites you're visiting, at what time you're using the internet.

Kyle Rosendahl: 5:04

You know, your cell phone, android, owned by Google, apple, obviously, right, they're collecting metrics from your phone and usages and they're using them to try and make a more addicting experience, to keep you using their products more frequently. But to Eric's point, as they track you on the internet and they're trying to collect information to help advertise to you and sell things to you in some ways too. I mean, there's statisticians and other people that are that are working on these platforms, that are using it to try and make predictions too. They're trying to determine who to present specific ads to, to try and you know, promote their candidates that they're looking to push.

Mandi Rae: 5:52

Those swing voters.

Kyle Rosendahl: 5:53

Yeah, exactly, they're doing it through social media and they're doing it through mail, and they're collecting information about how you use the internet, how you use your phone, to predict, you know, maybe, who you might be more inclined to vote for and then find the best way to place that advertisement in front of you, whether it's through mail and your physical address, or whether it's through an ad on your, you know, social media pages and things like that. So it's not always just vendors and advertisers, but it's also, you know, political campaigns and things like that.

Eric Brown: 6:23

So advertisers, but it's also political campaigns and things like that. What I saw that was interesting on the iPhone platform. Now it looks like you can easily go into the metadata of the photo and then you can manipulate the metadata of that photo so you could go into the information and then you could adjust, for example, for social engineering or other purposes where you know you could say, oh no, I was at your house at one o'clock. And then you know you could show the photo where it shows that the time was one o'clock but really you could have been there at 11.

Eric Brown: 7:19

Creates an alibi yeah, it does, and I think maybe not a lot of people would know that. And there's certainly ways to strip that metadata off of the photo. But people probably wouldn't know that you could change that information relatively easily. Or if the information was stripped off, you could put fake information back on it. But there's a lot of scary information I'm not scary, but a lot of information in that metadata the type of device, the f-stop of the camera, the location if you have location services turned on for it the date and time pretty intrusive stuff.

Mandi Rae: 8:05

It reminds me of conversations we had before about the Ring camera, where I recognized advancing technology in this way. There's so many helpful things it does for law enforcement, for other agencies. Right when, I think at DEF CON we heard a Sky talk about how they're reducing child trafficking and child pornography by using, you know, these different types of information. What other ways do you think threat actors would use this information?

Nick Mellem: 8:36

from a personal standpoint, Well, for example, one Mandy is I'm looking at a photo of mine here and it shows the exact place I took the picture Right, so you can take a picture at a photo of mine here, and it shows the exact place. I took the picture Right, so you can. If they're take a picture at a park, right, they might know that they hung out there, so we can prey on those people at that location. I think that's one of the most notable parts.

Mandi Rae: 8:57

So then I think of, like my kids, right Like I work in this industry. We hear some horror stories my kids don't know and anyone born with the internet. They act like they're invincible, right, like it's no big deal and it's crazy how freely they share information, but then, furthermore, like if they're talking to a potential threat actor on the internet and they're sharing pictures and that's giving them the location, right, how do you safeguard yourself from things like that?

Eric Brown: 9:27

We should do an episode on just the security for minors one of these days. I had an interesting conversation with a probation officer today at one of our customers and we were talking about a project that we're jointly working on and then we started talking about corrections and probation and aliases that professionals could use in the business to protect themselves from the clients that they serve. Where maybe a probation officer sends somebody back to prison and person's not terribly happy about that, there could be potential things for that probation officer to be aware of. So we talked a little bit about that. And then she was talking about her family and she's got some small children that are of the age where they're starting to interact with social media and come online, and one of the things that she was saying was kids believe anything.

Eric Brown: 10:30

You know you have a younger child and yeah, they get like a scam text or a scam email. They believe that, yeah, they are gonna get a free pair of shoes or something and it's, she know. When kids are seven years old I think that's the age of reason, but you know, around that age it's really tough to explain to someone that you know a child that it could be a scam and that, no, you're really not going to get a free pair of shoes, right. They can't understand that kind of evil side of things and unfortunately those of us who've been in this industry get, you know, pretty jaded after a while.

Mandi Rae: 11:13

Yeah, one of the ways I try to help coach my children. I have a preteen but elementary school you know they're they're online on their Chromebooks at school. I also have a phone that she uses that's Wi-Fi capable, doesn't have cellular service, but right on road trips and stuff. It's the new way that kids entertain themselves, and so I always tell my kids if it feels too good to be true, if what they're offering you really want, talk to me, because 10 times out of 10, it's not going to happen that free Chipotle burrito, right, like even grownups are able to be social engineered, because who doesn't love a free burrito?

Kyle Rosendahl: 11:52

Yeah Well, I mean, I'm of the age probably on the youngest end of the age where kind of the pre-Facebook internet is still like a living memory for me, right, internet is still like a living memory for me, right, where early 2000s, late 1990s, being on the internet, the rule of thumb was don't put any personal information on the internet, right, you don't know these people, you don't know who they are, you don't want them to find you like, don't trust anyone.

Kyle Rosendahl: 12:20

And then about 2007 rolls around and that whole script gets flipped over and it's like, oh yeah, post all these photos of you and your friends. And now you have to have this you know competitive profile out there. And all of a sudden, everybody was posting personal information and using their full name as their username. And I mean it was just crazy at the time to be like, okay, I just went, you know, in the course of six months from let's not post anything personal to post your life online, right, and people take advantage of that now to take advantage of other people. And I don't think the bad people have disappeared. It's easier to hide when people are much more trusting online.

Eric Brown: 13:01

It's always that love-hate relationship that we have as practitioners with the security questions, like, yes, it's a good way to recover your password, but all of the things on this page would be used, or could be used, to form those security questions right, like you know what type of, what was your first car, what street did you live on? All things that are relatively easily socially engineered, and I know we all encourage the folks that we interact with to just make up those answers and then store the made up answer in a password manager and that way you know if they ask you what was the street you grew up on and you put down blue. Well, nobody's going to really be able to social engineer that out of you or any of your social media profiles, and then you might not even remember the answer, but it's stored in your password manager.

Mandi Rae: 13:55

Yeah, those are all really helpful things. This slide is overwhelming and I feel like we could go down any number of avenues. So more about big data.

Kyle Rosendahl: 14:06

Yeah, so at this point, right, I mean we've touched on it a little bit, but who's looking for this information? Right, there's nefarious hackers who are looking, as eric just said, to get those knowledge-based questions about you, to bypass your security controls and get your password or change your password. Um, you know, social engineer you to click on things that you shouldn't be, that lead you to malicious websites. Right? Advertisers, vendors they want to sell you stuff and they want to do it better and faster and more efficiently. And one thing we haven't really touched on is law enforcement looking to kind of collect this data to help solve cases, whether it's forensics information coming out of data on your phone or device, or even your location-based policing, where they're looking for riots or the scene of a crime. And now they're pulling gps data off people's phones to see, you know, who happens to have been in the area at the time of the crime.

Nick Mellem: 15:00

All of that's happened big data, slash big brother I think a big one too, kyle here is that the location went out for all the active school shootings. So they're looking for that kind of information who's in the area, what's happening and then using social media for that as well. Yep absolutely.

Eric Brown: 15:19

Well, we saw that with the riots in DC, didn't we? They were going after people who just happened to have their phones on in that area.

Kyle Rosendahl: 15:29

Yeah, and if you actually go to the next slide, there's some kind of anecdotes that one down there at the bottom right, capitol rioters arrests are made after the warrant was given for GPS data. So even if you were, you know, within a certain radius of Washington DC or the area where the riot took place, they were making arrests within a certain radius of Washington DC or the area where the riot took place. They were making arrests and questioning you, regardless of if you happened to be there or not, right? Likewise, all of these are different ways that big data was used and correlated to make changes in real life, right? This is how it actually affects real people, so you know.

Kyle Rosendahl: 16:07

Another one a man was arrested for his Google GPS data. He happened to be on a bike, ride bike past a house where someone was murdered. The police saw that his phone was in proximity around the time that they think the murder took place and they brought the guy in for questioning. You know, they had no other reason to believe he was involved beyond the point that he was on his bicycle riding past and his phone showed that he was there. You know, china's using facial recognition data scraped from phone cameras and their kind of social media platform over there to help kind of control human behavior with their kind of social currency system that they have over there and then their credit scores, yeah social credit?

Kyle Rosendahl: 16:47

Yeah, it really is. And then there's other stories like IRS get transcript, use knowledge based authentication to allow you to get past IRS tax return data, and social engineering and open source intelligence to figure out people's answers. And then we're getting old transcripts of tax returns and then using the old data to submit new tax returns for these people and steal their IRS tax returns.

Mandi Rae: 17:17

Wow, and that can happen right under your nose. And how would you be any of the wiser? Yeah, you wouldn't yeah, exactly my eyes are really drawn to diapers and beer, so could we dive into that a little bit yeah, and that's.

Kyle Rosendahl: 17:31

That's another good one. Um, a major retailer in the us. Just using statistics and sales statistics, we're finding that, you know, based on people's purchases, a lot of them would purchase diapers and beer at the same time. Right? So by correlating all of these sales across the entire United States, looking at you know, when people were coming into shop and what purchases they were making, they were finding that you know this correlates very closely.

Kyle Rosendahl: 18:03

A lot of people who buy diapers also happen to buy beer. And what they discovered through that is oh, these are all you know new fathers, or fathers of new babies, who are kind of being sent out of the house by the wife who's home with the baby or the woman who's home with the baby to, you know, go out and get new diapers because we're running out. And since they have less time to go out for drinks with friends after the baby arrives, they were also purchasing alcoholic beverages at the same time as purchasing diapers to enjoy at home. So, using that information, then they were able to scoop stuff closer together at the store and even increase sales after that point. So pretty interesting stuff.

Mandi Rae: 18:44

I have to be honest and the minute I heard about this, I know the retailer you're talking about because I shopped there and I saw the two together and I was like irony, like that's, it's genius, it's brilliant. They're right next to each other. Uh, anyone who has kids could understand why you might need to drink a little more right, yeah, exactly there's the um, so we'll we'll call out the retailer I think you're talking about, which is target.

Eric Brown: 19:11

um, and target was the subject of a an interesting data analytics um article by charles duhigg, uh, and he wrote an article for the New York Times. But there's a statistician at Target named Andrew Pohl, and Andrew is pre-pregnant women, so women right before they're going to be pregnant, so that Target is able to capture all of that revenue associated with a person becoming a mother and then post-pregnancy, the formula, the baby food, the diapers and all of those sorts of things that you All the things.

Eric Brown: 20:16

All the things that you both are very familiar with, which is a lot of revenue, right. And so the statistician, andrew, built an algorithm that would identify who was pregnant and then would build targeted advertising towards them. So, like you get the you know the mailer in your mail and then it would have things that they've deemed are of interest to you.

Mandi Rae: 20:55

This makes sense to me. What they do is they send special postcards that would be like really valuable diaper coupons or 20% off your entire purchase in this area, and it's something that you don't get unless you're on a list, and people love stealing them out of your mailbox. So I can't wait to hear what you're going to say next.

Eric Brown: 21:11

Oh yeah, well, so what they did was they, as you said, created these algorithms to target you, mail you something that was enticing for you, and they did this Apparently. It was working well, uh, but one day a a father storms into target and says why are you targeting my teenage daughter with this sort of advertisement? And it turns out any father would as any father would, but it turns out that his daughter actually as any father would, but it turns out that his daughter actually really was pregnant, so what a hard way to find out, so Target knew she was pregnant before her family did.

Eric Brown: 21:57

You got it, yeah, so lots of money in that Right, and what they did was they? They didn't. They didn't stop advertising, they just changed it to make it more subtle. So, instead of the front page of the, the, the ad that's targeted towards you know that a certain demographic maybe you know, as we're talking about pregnant women, instead of having discrete baby stuff, well, they'll have some baby stuff and then maybe they'll mix in, like some sports stuff or, you know, some coupons for other things. So it doesn't look like it's just targeted towards one person, but the person that it is targeted to is going to key in to the, to the actual ad itself, and, um, subconsciously know that they're not know, but subconsciously and subconsciously be attracted to that ad.

Mandi Rae: 22:54

From a marketing perspective, how amazing that technology can help lend your hand to there. That's incredibly strategic and you're getting really hyper-focused to your demographic. From a personal standpoint, it all feels icky.

Eric Brown: 23:11

And the thing that sucks like. I think this is back, I don't know early 2000s, right, I think it's pre-2010. I could be wrong, but the analytics and the pervasiveness of this has gotten tenfold worse since then, with the ability to set cookies in browsers. With the ability to set cookies in browsers, collect information from people's homes through the Google Homes or the Amazon Alexas or these other things that are just listening to us all of the time and building these profiles that are so targeted. It's not like watching TV in 1950. When there's an ad for butter you know butter, or something on the TV, you're like, oh, I don't like butter. Well, now they're not even going to show you something that you don't like. You're going to get ads so targeted that you're buying stuff that you really think that you like, but you know you, you don't. It's probably a masterclass in in advertising.

Mandi Rae: 24:13

Yeah, it reminds me like I've been recently doing a lot of things. My grandmother had a stroke and I'm supporting her in a home and I've been talking to a lot of her different caseworkers and stuff. She has different needs now and so I've been talking about depends a lot, right, and I'm not writing about it, I'm not searching them up, I'm not doing anything, but I am. I'm not writing about it, I'm not searching them up, I'm not doing anything, but I am talking on the phone about it. And lo and behold, I have all these incontinence product ads popping up on my feed. You know different things coming up and that's just one of those things where it feels really invasive again that something is listening to me and targeting things towards me where I don't ever want to talk about Depends again in my life. I don't need the coupons, I don't need the ads, I'm not an interested party. But someone was listening in to a private conversation.

Kyle Rosendahl: 25:05

Yeah, so typically at this point in the presentation we're just talking about.

Kyle Rosendahl: 25:12

You know, if we're uncomfortable, like Mandy is saying, with these things being collected, and if you're uncomfortable with someone listening to a phone call or listening to you through a device or you know it may not be a person on the other end, but at least an algorithm or some sort of machine learning or some sort of program, you know there are ways to reduce the amount of information about you going out there and kind of what the rest of this presentation and what the rest of these sessions that we're going to do here are going to be about are just some really specific things you can choose to do with your emails, with your messaging, with your you know your phone, even with things like your tax information or you know personally identifiable information settings, and things that you can change to make your life more private and ensure that these types of trackers aren't attached to you and people aren't able to kind of follow you and your life like they would be had you not, you know, taken some of these measures.

Eric Brown: 26:22

people like nick mellum nick's been social engineer extraordinaire.

Nick Mellem: 26:27

I'm gonna pick on him I'm just getting ready to social engineer. Everybody I wanted to social engineer everybody.

Mandi Rae: 26:31

I wanted to social engineer your mom and you wouldn't let me. Never, that's sacred, I understand.

Eric Brown: 26:39

Nick and this is probably a little anecdote that I go into sometimes when giving these presentations around what nefarious actors do, or even law enforcement who might be trying to solve a crime. They will do some dumpster diving right, so going into trash at a location or a person's house to find out information about that person. So law enforcement does it, uh, nefarious actors do it, and we talk about this, I think, later in the presentation. But really being aware of that and putting your trash out the same day or as close as you can to the time that it's that's picked up, and then, if you have any material that is sensitive, shredding it, uh, with a cross-cut shredder before you recycle it. So that one is, I don't know. I always think it's something that's just to be aware of, but it would be kind of cool to catch somebody on camera going through a dumpster.

Nick Mellem: 27:51

Yeah, I think with the shredding it as well, if it's really sensitive information, we would also recommend using a service to pick it up. You can shred it. You can also have services that will pick up that box of shredded documents and they'll take it and they'll dispose of it. But all this goes back to social engineering, because you can actually dumpster dive. But you can also use all this data that we're talking about right now as a dumpster on the web that we can go and we can pick through this information and we can create that spider web and that's how we create that spear phishing attack or just a broad attack where we can pull in a lot of people, get a lot of information. And that's where being a being a social engineer if you're the nefarious hacker, it's very lucrative. So it's a lot of good information here to kind of digest and for a listener it's a little overwhelming and scary too. So there's a lot of ways to protect yourself yeah, so final slide here personal data protections.

Kyle Rosendahl: 28:56

Next episode we'll be talking about how to keep your emails more secure and private, as well as kind of your personal messages, and then in future episodes we'll also talk about your internet browsing habits, things like history, cookies, trackers, which we teased up a little bit today form data passwords, and then really get into that PII and good disposal and sanitization of that type of information out there.

Mandi Rae: 29:28

So if you want more, you can check us out at itauditlabscom. We also have a number of socials. We're on Insta, Facebook and LinkedIn. Thanks for tuning in today. Thanks, guys, We'll talk to you soon.

Nick Mellem: 29:44

Thanks everyone.

Mandi Rae: 29:45

Bye.

Eric Brown: 29:51

Want security leadership without the headcount. As an extension of the team, it Audit Labs will provide the experts to guide and counsel your company. We will start by creating a custom security program that caters to your industry while providing transparency and remediation to improve cyber posture while reducing risk. Contact IT Audit Labs to find out more.