Approximately 70 percent of Americans use social media to connect with one another, engage with news content, and share information. Most users access social media platforms and consume content on their smartphone, just one of the many smart devices we use to monitor our health, fitness, and sleep; secure our homes; tell us the weather; and cue up our favorite songs, shows, and movies. But the convenience of smartphones and the instant connectivity of the internet and social media come at a price, namely the security risks hidden in our favorite apps and devices.
October is National Cybersecurity Awareness Month (NCSAM), an annual initiative spearheaded by the Department of Homeland Security to raise awareness about the importance of cybersecurity. To mark the occasion, we asked several BU privacy and security experts—Ari Trachtenberg, a College of Engineering professor of electrical and computer engineering and a member of the BU Cyber Alliance, Gianluca Stringhini, an ENG assistant professor of electrical and computer engineering, and Ran Canetti, a College of Arts & Sciences professor of computer science and director of the BU Center for Reliable Information Systems and Cyber Security—to shed light on the top vulnerabilities we need to know about. They discuss security and privacy threats consumers and businesses unknowingly expose themselves to, and outline best practices for protection.
Smart Devices and Social Media
BU Today: How can we protect ourselves in a connected world?
Trachtenberg: Smart devices quietly nestle well within our comfort zones and into our most private spaces: bedrooms, bathrooms, doctor’s offices, etc. At the same time, they are filled with all kinds of sensors that allow them to record and permanently store all kinds of information about our most private moments. The best way to protect yourself is to be aware of this, and keep all smart devices away from your most intimate environments. I, for example, keep most smart devices (TVs, speakers, etc.) out of my home; the few I cannot avoid (smartphones), I keep in a designated location that does not have access to my private areas.
How are we putting our personal information at risk when using social media?
Trachtenberg: I think that many users don’t realize that they are not only putting their own information at risk when they’re using social media, but also the information of their friends and acquaintances. For example, when you put up a picture of yourself with a friend at a location, you are sharing with the social media company (and, quite possibly, all of their third-party affiliates) your connection to the location—and your friend’s connection to the location—whether or not your friend wants ad agencies to know this.
The same thing goes for messages you leave on your friends’ social media accounts, or, potentially, even “private messages” that you send to them through social platforms. In short, when you are using a “free” service online, always ask yourself—how is this service making the money to pay its engineers and maintain its hardware? Often the answer is that it’s selling information about you and your friends.
Canetti: We provide online service, app, and content providers with detailed information about our whereabouts, our thoughts, our feelings, our moods, and our life patterns. Our every move is recorded, and aggregated with the moves of others. These content, social platform, and app providers sell this data to third parties who can weaponize it against us—catching us at our weak moments and manipulating our thoughts and behavior.
What are the consequences of this behavior?
Trachtenberg: I think that the top security threat today is not directly from overtly malicious actors, but rather from the huge amount of information that is accumulated about each and every one of us through all the devices that we use regularly. This information, inevitably, leaks to actors with very different interests than us (including malicious actors), and it can be harnessed very effectively to cause damage.
What can we do to avoid this risk, while still being active on social media?
Canetti: We can opt out of providing our information to content, app, and social media providers. This cuts them off from the ability to leverage our data, and share with advertisers and other third parties. This might cost a small price, but it’s more than worth it.
What is the top security threat you anticipate employees will face in the near future? What are the repercussions for both the employees and the businesses they work for?
Stringhini: Ransomware is currently the golden standard of cybercrime. Unlike other cybercrime schemes like fraud and spam, the criminals are not trying to convince their victims to purchase some sketchy good, but instead offer to give them back access to their data in exchange for money.
Unfortunately, victims often have no choice but to pay their extorters. This significantly increases the return on investment for cybercriminals, and has serious repercussions for both private citizens and companies, who are constantly being targeted.
Trachtenberg: There are many truly frightening ways malicious actors can exploit our digital trails in the workplace. For businesses, a serious example is CEO fraud, wherein criminals imitate the email or phone call of a CEO/CFO in requesting large transfers of money, or possibly the businesses’ network and data.
Both of these are exacerbated by the emergence of “deep fakes,” wherein machine learning techniques are used to craft messages that look or sound identical to the person being scammed (i.e., from a few samples of a CEO’s speech, it is sometimes possible to realistically craft different speech, which the CEO has not stated, in the CEO’s voice).
Is there an easy fix for this risk that employees and businesses should adopt?
Stringhini: To mitigate the risk of being hit by ransomware, users should constantly keep backups of their data. This can be automated—for example, scheduled to happen once a week.
Trachtenberg: It is very hard for an individual to protect themselves from CEO fraud and deep fake vulnerabilities, much like it is hard for an unarmed civilian to successfully defend against an armed criminal. Individuals should always be skeptical about any unsolicited information that they are given, and companies should have established, secure mechanisms for making significant transfers. They should also put in place prespecified protocols for dealing with and responding to security emergencies.
Best Practices for Protection
What is the most overlooked security feature?
Stringhini: Enabling two-factor authentication can help people keep their online accounts safe. With two-factor authentication enabled, it is not enough for attackers to know an account’s password to log into it, but they also need to get a hold of a second token, which is usually sent to the user’s mobile phone. This significantly raises the bar for attackers to successfully compromise online attacks, and protects users from the consequences of large data breaches and phishing attacks.
What is the most important “cyber hygiene” routine that’s easy to maintain that everyone should adopt to ensure better security?
Stringhini: Once a weakness is discovered in a program, the developer usually fixes it rather quickly. Keeping your software constantly updated drastically reduces the chances of getting compromised. Most programs nowadays provide automated updates, which is a great way for people to stay secure while at the same time not having to remember to constantly update their computers.
Trachtenberg: Actually, it is what we teach our engineering students throughout their study—understand the basis for the information that you are receiving, and be skeptical of any claims that are not substantiated in a manner that you can reproduce.