The privacy discussion – How ISPs, search engines, and social media services collect your information

The repeal of the FCC Internet privacy rules has spurred on much discussion on privacy online and how companies collect and use that information.  I have fielded many questions on what this means for consumers and their privacy when going online, using search engines, and social media.  Some have wondered how Internet Service Providers (ISPs) differ from search engines and social media in how they collect consumer data.

The difference between how ISPs and social networks or search providers collect and use data comes down to the how easy it is for consumers to switch from one provider to another, the ability to opt out, and the ability to circumvent data collection.

Switching services

The primary difference is in how easy it is for consumers to switch providers.  Search engines are the easiest.  Simply navigate to another search engine, such as DuckDuckGo which does not track its users, and issue the same search.  Yes, the results may vary, and you may be less satisfied with the results, but the process is simple.  It takes very little time, and the impact is not great.  However, search providers offer more than just searching.  Email, cloud services, stock tracking, shopping and other services may also be tied into your search account, so for consumers to fully move away from the platform, they must also adopt new providers for each of these services.

It is a little more difficult with social networks because not all users are on all social networks and social networks cater to certain types of social sharing.  If a user decides they do not like how one social network uses their data, so they decide to leave, they may be unable to communicate with some people who are not on the next social platform of choice, or they may miss out on updates from some of their contacts.

Now let’s look at ISPs.  To change ISPs, a user must contact the ISP, which might involve breaking a contract and paying fees.  They must then pay for new service from a different ISP and wait until that provider can connect their service.  This might result in a period where the user cannot connect online.  There are some cases where there is only one ISP in the user’s region, so they have no choice but to work with that ISP no matter what their privacy policy is.

It is clear that it is more difficult for consumers to change their ISP or their social network than it is for them to change their search engine.  However, it is not clear whether it is more impactful for consumers to change their ISP than their social network.  It may also be more difficult for consumers to switch their search provider if they intend on fully disconnecting from that provider because this involves changing email, shopping, and other services as well.

Opting out

There is also a difference between ISPs and social or search providers in the ability for users to opt out.  Prior to the privacy rules that were recently repealed, ISPs opted in each user but allowed them the ability to opt out.  This is something that Facebook and Google do not do.  If you want to use Facebook and Google, you will be tracked and your data used.

Circumventing data collection

I believe the largest difference between the ISP and the social network or search providers and their collection of data is that ISP data collection can be circumvented with the use of a VPN.  ISP data collection takes place because they are an intermediary to the communication channel.   This gives them a broad view of the myriad tasks a household performs online which can be valuable in building a profile of a household.  However, the entire process can be circumvented by utilizing a VPN.  When users are on a VPN, the ISP only sees connections originating from the household (IP address) and going to the VPN service.  They do not see the traffic that goes over the connection since it is encrypted.  However, the services at the other end still do see the traffic since the traffic is designated for them.  In order to use a social network, a user must log in, and requests must be sent to the social network.  Requests cannot be sent to an intermediary to perform on their behalf.   The only alternative would be for users to set up fake or random accounts that are used for perusing social networks and then discarded but the use case of such a system would be limited due to the requirement of sending friend requests, and it would violate many social network’s terms of use.

This article is sponsored by JURINNOV, a TCDI company specializing in cybersecurity and computer forensic consulting services.

The top 10 ransomware attack vectors

Ransomware is infecting the computers of unsuspecting victims at an astronomical rate. The various methods that cybercriminals use to take over a machine and encrypt its digital files are called the attack vectors, and there are quite a few.

In this article, we’ll explore the top 10 ransomware attack vectors. The first five exploit human weaknesses through social engineering attacks. In other words, they use carefully crafted messages to entice victims into clicking a link, downloading software, opening a file or entering credentials. The second five spread ransomware computer to computer. Humans may be somewhat involved in the process by navigating to a site or using a machine, but they are primarily automated processes. Let’s take a closer look at each attack vector:

1. Phishing
Phishing is a social engineering technique where phony emails are sent to individuals or a large group of recipients. The fake messages—which may appear to come from a company or person the victim knows—are designed to trick people into clicking a malicious link or opening a dangerous attachment, such as the resume ransomware that appeared to be a job candidate’s CV.

2. SMSishing
SMSishing is a technique where text messages are sent to recipients to get them to navigate to a site or enter personal information. Some examples include secondary authentication messages or messages purporting to be from your bank or phone service provider. Ransomware that targets Android and IOS-based mobile devices often use this method to infect users. For example, after infecting your device, Koler ransomware sends a SMSishing message to those in your contacts list in an effort to infect them as well.

3. Vishing
Vishing is a technique where ransomware distributors leave automated voicemails that instruct users to call a number. The phone numbers they call from are often spoofed so that messages appear to come from a legitimate source. When victims call in, they are told that a person is there to help them through a problem they didn’t know they had. Victims follow instructions to install the ransomware on their own machine. Cybercriminals can be very professional and often use a call center or have sound effects in the background to make it seem like they are legitimate. Some forms of vishing are very targeted to an individual or company and in such cases, criminals usually know quite a bit of information about the victim.

4. Social media
Social media posts can be used to entice victims to click a link. Social media can also host images or active content that has ransomware downloaders embedded into it. When friends and followers view the content, vulnerabilities in their browser are exploited and the ransomware downloader is placed on their machine. Some exploits require users to open a downloaded image from the social media site.

5. Instant message
Instant message clients are frequently hacked by cybercriminals and used to send links to people in a user’s contact list. This was one technique used by the distributors of Locky ransomware.

6. Drive-by
The ‘drive-by’ technique places malicious code into images or active content. This content, when processed by a web browser, downloads ransomware onto the victim’s machine.

7. System vulnerabilities
Certain types of ransomware scan blocks of IP addresses for specific system vulnerabilities and then exploit those vulnerabilities to break in and install ransomware onto the machine.

8. Malvertising
Malvertising is a form of drive-by attack that uses ads to deliver the malware. Ads are often purchased on search engines or social media sites to reach a large audience. Adult-only sites are also frequently used to host malvertising scams.

9. Network propagation
Ransomware can spread from computer to computer over a network when ransomware scans for file shares or computers on which it has access privileges. The ransomware then copies itself from computer to computer in order to infect more machines. Ransomware may infect a user’s machine and then propagate to the company file server and infect it as well. From here, it can infect any machines connected to the file server.

10. Propagation through shared services
Online services can also be used to propagate ransomware. Infections on a home machine can be transferred to an office or to other connected machines if the ransomware places itself inside a shared folder.

Be cautious and skeptical of the messages you receive, whether they come from email, instant message, text, voicemail or social media. Ransomware distributors are crafty and one click could be all it takes. Technical controls are also necessary to screen out unwanted content, block ads, and prevent ransomware from spreading. The most important thing is to have adequate backups of your data so that, if you ever are attacked, you can remove the virus and download clean versions of your files from the backup system.

Continue reading

Social networking strategy

Social networking is my thing this year and I just wanted to share my strategy with you in case you find it useful.

I spend about 30 minutes each day managing my Twitter and Linkedin accounts and it really helps.  Each day on Linkedin, I search for others I can connect with. I also look through my connections and find people whom I can endorse and after endorsing them I ask them to endorse me as well. I added my social networks to my email signature so that people I communicate with will add me or view my social networks.

Weekly, I look for one thing on my Linkedin that I can improve and then I improve that area.  It may be adding more detail to a section or revising some wording but I make regular edits.  Next, I Google myself to make sure that no negative information appears about me and that my positive sites appear early in the search results.

Most employers Google potential employees and they check their Linkedin, Twitter and public Facebook so it can really pay off.  You can also search for jobs on Linkedin but it will only show jobs that you are connected with so as you add more connections, more jobs will become available.  I never would have landed the book contract if it weren’t for Linkedin.

No Place for Privacy

While many people think that a person’s social media posts, photos and conversations are protected as private information, especially if the user has “private” settings, courts have thus far denied this privilege. In one case in Virginia, an attorney advised his client to delete incriminating photos from his Facebook and later deactivate the account. This spoliation led to fines for both the client and the attorney – and may have ended the attorney’s career.

For more information on this case, click here.