The coronavirus crisis is the perfect background for malicious snooping.
Photo: Photo illustration by The Wall Street Journal, photos by iStockAs more people work from home during the Covid-19 pandemic, they are sharing photos of their online meetings and remote-working setups—and that’s putting their security at risk.
My research into oversharing online shows that people often don’t realize how much personal information they are revealing in photos—images of their houses and hobbies that provide clues about their usernames, passwords and other personal information. And hashtags like #WorkFromHome and #HomeOffice make it convenient for crooks to zero in on photos that contain those details.
While we have yet to see any documented crimes based on photos shared during the pandemic, it is clear the boom in sharing exposes people to all sorts of dangers. The crisis is the perfect background for malicious snooping—because people are stressed and anxious to make any kind of personal connection, even if it is just revealing some small part of their home life.
Let’s look at a few avenues of exposure that put people at risk.
Spotting your vital stats
First, crooks can scour your photos to find personal information that you would never think of sharing, precisely because you know it can turn against you.
Consider a phishing email that claims to be from your bank. It says there is a problem with your account, and you need to log in immediately, using a provided link. To seem believable, the email would need to include your name, birth date and home address.
Now imagine that you had recently published two posts on social media. In one post, you shared a picture of your home-working setup, which displayed—in addition to your MacBook Pro and adorable cat—an Amazon package showing your name and address.
In another post, your colleagues shared a photo from a Zoom conference in which they surprised you with a birthday party. There’s a lovely cake pictured, and it also includes your age. Your friends included the hashtag #Birthday, which means a criminal could figure out your date of birth from looking at when the picture was posted.
Now go back to the phishing email. It has your name, address and birth date. And you click on it.
Criminals also can glean information about your passwords based on photos that are shared online—and are already tempting because of hashtags. It is well-known that passwords are often based on hobbies and names of loved ones and pets. Posting photos of your home office may suggest your interests and hobbies—for instance, Harry Potter books, fishing trophies or posters of your favorite sports team. Similarly, photos that name loved ones or pets can also provide hackers with hints to passwords.
My research shows that hackers may combine these hints with databases of common, or previously breached, passwords to boost their chances of success. For example, if you have Liverpool Football Club posters around your room, criminals might deduce you are a supporter and that your password may contain “liverpool.” By analyzing a list of breached passwords, easily found online, hackers can see that most people who use “liverpool” in their password add a significant numeral after it, such as liverpool11 or liverpool10, the numbers of two popular players.
Business secrets
But people don’t just expose their own secrets when they post home-office photos—they potentially expose their employers’ secrets, too.
My preliminary analysis of photos from the new wave of work-at-home postings has found that people unwittingly reveal images of sensitive internal corporate correspondence and webpages on their screens—a trove of information for criminals.
People can also inadvertently reveal more-complex information, with photos that show technical details about their machines, such as the serial number of a computer. With the right piece of information, a criminal might be able to email an employer’s IT help desk, pretend to be that employee and obtain information that will help them get access to the system or carry out other scams.
Likewise, hackers and corporate competitors might take advantage of photos that show the software companies use. Awareness of the software means knowing what software platforms to target and what security exploits to prepare. In some cases, the organization is using an outdated version of software, such as Microsoft Windows or Office, that hasn’t been updated to guard against new vulnerabilities.
Crimes such as burglary and theft are also still a serious threat. As individuals post photos of new remote-working setups, they also are including a range of expensive devices, the layout of their homes, and the locations of the nearest windows and doors. In combination with some of the other information mentioned above, this provides burglars with exactly the insight they need to determine what homes to break into, where to find the expensive tech, and how to get in and out.
To keep safe during the pandemic, we need to protect ourselves both in person and online. Cybercriminals are on the lookout!
Dr. Nurse is an assistant professor in cybersecurity at the University of Kent’s School of Computing in the U.K. He can be reached at reports@wsj.com.
Share Your Thoughts
How aware are you of what you reveal through videoconferencing and photos? Join the conversation below.
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
"danger" - Google News
June 21, 2020 at 09:58PM
https://ift.tt/2YYnOsH
The Dangerous Secrets Our Working-From-Home Photos Reveal - The Wall Street Journal
"danger" - Google News
https://ift.tt/3bVUlF0
https://ift.tt/3f9EULr
No comments:
Post a Comment