I'm really on this data privacy and forensics kick, so I've got another post to help make you even more paranoid. Let's talk a little bit about how information regarding you or your family including preferences, habits, interests and other tidbits of information can be siphoned from everyday technology in use around you. Here are 10 everyday items we use which can destroy our privacy one bit at a time.
Vehicle GPS – You can save favorite routes, your last route, restaurants, hotels, etc. on these devices.
Vehicle diagnostics – Can track statistics and averages for trip time, trip length, speeds, acceleration, etc.
Portable media players – music, photos, videos, digital audio notes, podcasts. (These are great for profiling an individual for social engineering attacks)
Identification – Military IDs, new US Passports and some state driver licenses now include RFID chips which can be read very easily. A US service member's medical history is now embedded on their chip. WOW! RFID uses weak security and wireless transmission….bad combination.
Cell/Smart phones – Important contact information, calendars, attachments, they're mini computers but we treat them worse than our car keys.
Voicemail – Here are the four default codes used by nearly all answering machines and VM services by default. 0000, 1234, 9999 and last 4 of the number dialed…try calling random numbers until you get VM and login using these…bet you get "lucky" more than once.
Cable and satellite boxes – can record viewing habits, pay per view and other oddities.
Video game systems – Online services such as Xbox Live track every statistic under the sun regarding what you play, when, with whom, what media content you download and tons of other stuff.
Frequent shopper cards – Go to the grocery store, check out and swipe your store loyalty card for the discounts. Your entire purchase history is now stored in a database and tied to your demographics.
eBook readers – Ok…maybe this one isn't mainstream yet but it's popular with the college crowd. How about your entire personal library being open to inspection?
Now I know what you're going to say. "Dave, please step into this padded room, it's for your protection." And that may be true. I'm certainly not out to say we shouldn't use any or all of these devices. But, to do so without understanding the potential downfalls as related to privacy is naïve at best. It also goes to show why more criminals are looking at online networks to discover information about their victims.
The flip side of this is from the law enforcement and government perspective. If accused of a crime, these are all the areas of your life which might be inspected in order to find motive, opportunity or other elements of a case against you.
Sorry folks…whether you like it or not you have a digital persona, and it's not even on Facebook, MySpace or some other social networking site. It's woven into the very fabric of our everyday life. Get used to it.
Gotta go…my refrigerator just alerted me we're low on milk, eggs and hot fudge sundae topping.
I talk to a lot of people who are scared to death about what their kids can say, do, see and hear online these days. I'm one of them. My wife has stated on several occasions that she's glad I'm in the profession I am with 4 kids under the roof. Now hopefully they'll be more technology savvy than I one day, but until then "Big Brother" will be watching and usually one step ahead.
So how is a parent who's, let's say…technology challenged, supposed to keep tabs on the online habits of their kids? Easy…don't let them go to the public library. The library is a free for all when it comes to online information. Many of the librarians associated with the ALA balk at any sort of restrictions placed on internet usage, regardless of the patron's age. In fact, in Iowa, a parent currently is prohibited BY LAW from seeing the book loan history or website visits of their minor children. PERIOD! I'm working to change that but could use some help. If you are interested send me a note or post a comment. But I digress…
So how can a parent check up on their kids? I've got a few suggestions. Some might seem a bit Draconian so pick and choose what suits you and your family's culture.
Install a keystroke logger. This nifty application records every keystroke made by the keyboard and compiles a log for you to read.
Pros: Captures everything (almost), hidden in the background so kids might not even know it's there.
Cons: Captures everything. You might have to do some skimming or filtering. Can be defeated by "online" keyboards, and other tricks.
Install web filtering software which has Deny and Allow functionality. You can "deny all except…" or "allow all but….". There are services which update these lists.
Pros: Pretty effective for giving some freedom within reason, relatively unobtrusive
Cons: Usually has a subscription fee, can be thwarted with a proxy or Microsoft's new Bing browser.
Get familiar with the index.dat file. It's a database of web history for Internet Explorer. Even after deleting your history and cache files this little nugget of gold holds basic web browsing history FOREVER!
Pros: Has the basic web history for a given user account logged in to Windows.
Cons: You'll need a free viewer like Mandiant's Web Historian to decode the file. This only is good for a user account.
Setup user accounts for each child on your comptuers and explain to them that if they share passwords with each other or their friends, they will be held accountable for anything that happens under their account…just like you are at work.
Pros: Helps them establish personal responsibility, isolates actions which can be traced back to the child.
Cons: Isn't always easy to control on multiple computers without a centralized server. Better used when the child only accesses one computer.
Like I said…you might not like all of these suggestions but maybe one of them fits your family's value system. Whatever the case maybe, parents need to get a little comfortable with doing some digital forensics on their home computer. Most of us wouldn't have a problem snooping in our kid's bedroom if we thought something was up. Why not carry that over to their digital lives as well?
If you are a parent out there and want some help with this subject PLEASE contact me. Whether you simply want to talk about some options, want to learn more about the technology or would like me to come speak to a group of parents about this subject, I'm always available.
The NEbraska Cert Conference (NECC) will be hosted in Omaha on August 18th and 19th. I'll be presenting a session entitled Working with IT Auditors: A Recipe for Success. In short the session will cover the following topics.
An overview of the IT audit process
Roles and responsibilities during an audit
Building a partnership with IT auditors
Working toward a win-win scenario
Audit killers and savers
The NECC registration is only $250 and is a good value if you're looking to build some CPE credits. You'll be hard pressed to find a conference or other training at that price. It's also a great way to build some networking contacts in the region. Hope to see you there.