Sharing your birthday online and the risks it brings.

Categories Privacy

I am sure you are so happy when you see the wall of congratulations on your Meta, Twitter, or Linkedin feeds. It brings joy and sometimes false happiness that you have so many friends who care about you.

When you share your birthday publicly, it brings some risks for you, and you might become a victim of a phishing attack.

Let me walk you through a simple scenario on how those attacks are executed.

The motivation of the attacker

The attacker has bad intentions. Their motivation, in this case, is to make you click on a link that could do a few things:

  • To lead you to a page where you could enter even more information for you to help them execute more time-consuming attacks later such as identity theft or a social engineering attack.
  • To force you to download an executable file (masked as a birthday gift card) and to install it on your computer giving them access to your personal or corporate network.
  • To trick you to add your credit card information: Imagine a subject asking you to chip in for your friend’s birthday gift.

Why would that work?

Let’s be honest here: You are more likely to click on a message that says, “Happy Birthday, [your name], here is our gift for you” more than anything else. You feel special on that day and you think with the emotional part of your brain.

Attack vector

Let me go through one of the possible flow of events (attack vector) via Linkedin-type of service.

  • If your birthday information is protected by a login-first method, the attacker would see if there is a leaked email/password combination for you on this website and will log in with your account. The leaked data are still available for sale and many of the people are still using the same combination.
  • Then the attacker will see your friends list and will get their first and last name.
  • If your contact published their email it will get it from there. If not it would go to their company information and get the email patterns for the company from services like this one.
  • Then they need to construct the e-mail and to send it to you keeping in mind that you should not receive tons of emails at once.

This could be manually run or automated easily by using a web scraper and some basic python scripts to make it work in just a few hours.

If you look at the attacker motivation section above, you could construct even one that works even better. Pretend to be the person with the most connections among your friends and send an email to them a week before your birthday to buy you a present by submitting their credit card details on a special page. Of course, this page will be “credible”, because your picture, which you share publicly, will be shown there, together with some appropriate message to trigger your friend’s feelings.

You wouldn’t even understand that your friends chipped in before they asked you how do you like your new game console.


Those attack scenarios are just a few of the basic ones that cover some easy to explore patterns, supported by the publicly available data you have on your social media page.

#

An experiment

To support this with data, I created a small experiment, doing exactly what I described, manually to some of my peers. 40% of them clicked on the link I sent pretending to be someone else. Of course on the landing page, I told them this is a joke and I told them to be more careful next time. How many peers do you have on social media? Imagine 40% of them clicking because they want to make you happy for your birthday.

What can you do?

I know you are a smart person and you will find a way to protect yourself, by here are some advice from me to help you get started

  • You can help yourself stop sharing your birthday publicly. The friends that care about you will know when you were born and find a way to congratulate you. Every service you use allows you to delete or hide your birthday, which will limit the risk.
  • Check regularly in here if your account has been compromised and see what data ended up in the wrong hands and consider removing this from your profile.
  • Share the bare minimum details with those services. The more you share the bigger the risk for you.
  • Consider moving your account to a new type of privacy-respecting data storage.
  • Be careful about what messages you open and what links you click. Think before click.

Help your friends

Sharing is caring. If you like your friends and you see them sharing their birthday information everywhere, send them a link to this article to warn them about all the things that can happen by exposing this innocent, at first look, detail about their most precious day of the year.

Identity Theft with birthday information

As I said, some level of protection against phishing attacks is available for you by default from your vendor or ISP, but there is not much to do if you become a victim of Identity theft.

I recommend you to read this article to learn more in-depth about this threat.

The header image is published under Attribution-NonCommercial 2.0 Generic (CC BY-NC 2.0) license

Doing Threat Modeling properly will help your teams to create a bit more secure products.

Categories Security, Uncategorized

I created something beautiful, and I want to give the knowledge to you.

How did it start?

While analyzing the SDLC in a company I worked for, I realized a few dangerous gaps in our threat modeling process. I also talked with my network of professionals in other companies and understood that they have the same or similar gaps. 

I decided to fix those gaps by creating a miniature product that I released under a creative commons license.

What were the gaps?

Traditional Thread Modeling approaches widely used today provide a false sense of security, leading to products and services that attacker personas can easily exploit. 

I identified four gaps and will share two of them with you:

Gap 1: Limited Exposure 

Most of the time, threat modeling is made by a single user because they have the most knowledge of the system or compete with others to get some company incentive.

A dialog is a key to establishing the common understandings that lead to value, while documents record those understandings and enable measurement.

The framework’s goal is to make sure everyone has a chance to participate in the exercise – to raise the entire team’s security posture and strengthen the product lines in general. 

The other benefit is that this could be adopted as an internal standard for all the team inside the company and make sure we do the threat analysis with the proper attention and using the same techniques.

Gap 2: Not aligned with the way we deliver software.

The current approach to Threat Modeling is close to a Waterfall model, and it’s far away from the dynamicity of the modern (Agile) way of doing software.

Threat modeling must align with an organization’s development practices and follow design changes in scoped iterations to manageable portions of the system.

We do the modeling in the beginning, and no one is updating them iteratively. Protecto engages the team regularly to repeat the exercise and focus on the most critical security issues first.

How do I fix this?

Protecto contains three main items:

  • A set of concept and visual tools to use with your team to make threat modeling a fun and helpful exercise.
  • A process to follow to make sure your team skills are applied where they will be most beneficial.
  • A 90-min workshop containing two modules and it starts with a beer tap protection exercise to help you and your team understand the process and the tools.

Where can you learn more?

If you want to improve your threat modeling practices and start developing more secure products with Protecto, there are two options:

Want to stop the attackers? Could you not give them something to attack?

20 years in IT

Categories Stats

I realized something today. It’s been 20 years since I left my military intelligence occupation for a career in IT.

I’ve spent the last 20 years with my favorite 10 types of people – those who understand binary and those who don’t.

I’ve been working as a webmaster, web developer, web architect, IT manager, marketing manager, growth hacker, community manager, and product person in various countries and multiple industries.

I had some success stories and some stories that I am not proud of, but I learned some suitable lessons along the way.

If we worked together at some point in the last 20 years, thanks for allowing me to learn from you.

Spotify knows what you did the last G88gle search session!

Categories Privacy

I had a strange situation:

  • I was using G**gle Translate to transform some string from English to a few of the languages spoken in Indian to greet my teem better.
  • A few days after that, I opened my Spotify app, and surprise – my recommendation feed was full of newly discovered Indian songs.

The “coincidence” is not a discovery for sure; this is happening a lot. Just be aware that whatever you do in G**ge is visible to multiple other parties. 

And it’s not just G**gle. It’s almost every service that comes to you for “free”. It’s not Free; it’s you that they sell for big $ to other companies.

Continue reading about the Spotify ethical violations from here.