Legacy infrastructure challenges while working remote & how to overcome them

Behind-the-firewall applications are foundational to the work of most organizational teams. And VPN was a solution from yesterday which is under tremendous strain of exponentially increased traffic.
New problems such as the pandemic requires newer solutions such as Zero-Trust to break the monolith infrastructure and move things faster in a secure way.

Continue reading

Do Not Answer the Question – The Facebook Linked Social Engineering Campaign which you should avoid

In December 2017, Facebook released a new feature called “Did You Know” which has now been rechristened to “Answer a Question”. Though it might seem innocuous at first, there is more than what meets the eye. It can be found along with the numerous post options listed while sharing an update (screenshot below)

Let’s first get some backstory about this feature. In Oct 2017, Facebook acquired tbh (to-be-honest), an app that lets people anonymously answer kind-hearted multiple-choice questions about friends who then receive the poll results as compliments. And in a months’ time, FB started allowing users answer a whole lot of questions ranging from food to superheroes. It is speculated that with dwindling user interest in general status updates, Facebook has been trying to bring novelty with Stories & Live updates from users. Integrating tbh as part of this new phenomenon, seems more than just a gimmick.

Social media is intrusive by design, but querying people about their preferences, deepest desires or phobia doesn’t come easy. Sending two-minute surveys to users wouldn’t have helped either. Therefore comes this nifty feature from Facebook, encouraging people to dish out their tacit information voluntarily through everyday looking harmless status updates. But are these really harmless? I don’t think so.

Security Scare?

Not only is Facebook asking questions, it is inadvertently aiding in what we security professionals call as “Social Engineering”. Let’s get the definition in context : “It is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Facebook might be legally using this data (collected as answers) for targeted advertising & profiling of users based on a number of parameters and what they feel would be valuable for digital marketing. Facebook had 2.2 billion monthly active users by the end of 2017, which makes it a treasure trove for any sort of information it can gather from even a fraction of this ginormous population. By answering this question viz.  “Between carrying a bag or a backpack, I usually…”  you might start seeing bag or backpack ads in your profile in the very near future. Or “Between spring, summer, winter and fall, I prefer…” might start showing you fashionable range for your choice.

However, from a security perspective what scares me the most is the great cache of data a potential hacker or even an online stalker can get from the replies to questions such as (few reproduced below):

  1. A sport I love watching on TV is…
  2. My oldest friend is…
  3. One of the first homework assignments I failed was…
  4. I would love to go to the concert of…
  5. When I was a child, I wanted to be…
  6. The film that best describes the story of my life is…
  7. What city would you like to live in?
  8. The subject I liked the most in high school was…
  9. A painter I admire is…
  10. I’m careful about…
  11. My favorite sport is…
  12. The last photo I took on my phone was…
  13. If I could be a fictional character, I’d be…
  14. The day of the week I love the most is…
  15. If I could meet any figure from the past or future, I would want to meet…
  16. The person I’d trust with my life is…
  17. I’m terrified of…
  18. The series I never get tired of watching is…
  19. The last time I lost my keys was…
  20. One of my favorite music genres is…
  21. A favorite class of mine was…
  22. For me, the perfect age to get married is…
  23. An author whose work changed my life is…
  24. My dog’s name is…
  25. If I could be any celebrity for a day, I would be..
  26. Between shopping online and in store, I prefer…
  27. One word that describes me is…
  28. Would you rather get up early or late?
  29. If I were to go to the store right now to buy ice cream, the flavor I would pick is…
  30. My hidden talent is…
  31. I couldn’t live without this app…
  32. My favorite game when I was a child was…
  33. I would like to travel to…
  34. What I like least in a person is…
  35. I bite my nails when…
  36. I met my significant other at…
  37. Do you live where you were born?

The last question in this list (along with many others above with direct ones highlighted) have often been used as a secret question(s) to reset your password on many websites such as social media, emails, forums, work accounts etc., including internet banking. If not in the exact form, through careful deduction, answers could be guessed to other secret questions as well. Not to mention, this tidbits can also be leveraged for cyber-bullying & online shaming in extreme cases.

Combining this data with many others easily available for every individual, it can become much easier for a perpetrator to carry out an online attack. Not only for accessing your online accounts, these information can also become potential data for miscreants to create fake profiles in your name and also get personality insights about you to cary other form of online or real-life attacks.

Safety Tips>>

  • Best safety measure would be to NOT engage in any of such Q&A.
  • However, if you can’t restrain yourself & feel compelled to answer, then restrict the viewership to “Only me” or Limited set of known friends. Under NO circumstances, should you choose “Public”.
  • Also as an additional measure, answer all your security questions with lies on all websites. You won’t be committing perjury by doing so, rather you would be safe from any unforeseen attacks.

New planet, new rules!

Social media is a planet (outside the solar system, of course) in itself. Every nanosecond, we are sharing & consuming data. How this data gets interpreted & consumed by zillions of other inhabitants is not under our control; but what we can do best is to make sure that we use utmost discretion while sharing. And apply the golden rule, “When in doubt, don’t share out”.