Online Privacy & Risk Management

all right i think it's time for me to start here hey everyone welcome um thanks for being here today i'm doing a talk on online privacy and risk management and let me just pull press play here oh let's get right into it all right let me introduce myself so my name is ritu gill i'm an open source intelligence analyst with 14 years with the canadian government specifically with law enforcement 12 of those years i was with the royal canadian mounted police canada's national police force i am a ocean enthusiast you can find me online on twitter where i go by the handle oset techniques um i'm also an advisory member of osync curious which is a group of some

you know amazing ocean people uh i work with many other um great ocean people uh teaching those um who want to learn about open source intelligence uh we post blogs 10 minute tips and other content um for those that want to advance their ocean skills i also have a website uh ocean techniques and i started writing courses for verified investigators on cyber training so what are we going to talk about today the agenda today is to talk about some basics like definitions of ocean opsec threat modeling might heard some of these terms before i will go over examples of how people compromise themselves online and then i'm going to discuss ways that say you can stay

secure and i'm going to share some resources that could also help with discovering your online footprint and then find ways that you can remove some of this information

so open source intelligence it's a process of collecting evaluating and analyzing publicly available information with the goal of answering a specific intelligence question so this is my full-time job and how it fits in with privacy you might wonder well if people did a better job of managing their online footprint it would make my heart my job a lot harder it would make it really difficult and so let's talk about opsec what is opsec it stands for operational security and the objective of opsec is to prevent sensitive data uh falling into the wrong hands okay so we first want to identify that data that can be compromised and then we want to take the steps to reduce

the exploitation of that data so think about it like this a bad actor could use information you're sharing online and do something nefarious like break into your house while you're on vacation because maybe you shared uh photos with your family saying that hey you're all away from the house so it's empty so some questions to think about and let's start here is what can an adversary or a bad actor gain from looking at your online footprint where do you expose yourself too much online how can you minimize those risks these questions will help make your assessment for you having better opsec might might mean preventing somebody with bad intentions um from identifying you online or knowing where

you live or work sometimes you don't want that information known but there are some of you that need to take it like another step further and you need more protection because of the type of work you do okay so a threat model i talked about some of these basic terminology some of these terms a threat model is a method of evaluating security and privacy risks in order to mitigate them that's the point everyone's threat model will look different and there are different levels of threat models okay so some may only need to do basics like password protect devices use use strong passwords use two-factor authentication where some of you might need to take it a step further and

actively remove some of that public data from the internet so you might be thinking well okay um how do i figure this out well to figure out what your threat model is you want to find the answers to questions such as what information do you want to protect so your house address your work location family members your assets these are things we typically want to protect what are you doing now um online or what are you doing now that exposes you online you have privacy settings on all your social media what do you post online and then who might want to gain access to this information this can be in the form of people you

don't know who are looking for a soft for example this can be in the form of say you apply to a job and a recruiter searches for your name on social media to see what you post to get an idea about your character right it could be simple as that somebody wanting to get information about you so from there you would conduct an assessment like this it's a good reminder of how your online activity can impact you you may move into a job where you need to reassess your threat model that's why it's important to think about this often and reassess as necessary and one thing i always like to point out here is risk factors

definitely you are a risk factor and what you do online but also family members friends colleagues they can inadvertently expose you online some every some of you might be thinking well what are you talking about okay well i'm a ocean analyst as i've mentioned and i search and find information about people all the time there's an incredible amount of information people post online that gets used um and to give you an idea of what i need to start with well here's a list so these are the things you want to protect okay um all these things allow me to find out more about you so whether it's your name or a username your email addresses

employment information i call these digital breadcrumbs and they help build a pro they help build a profile on a person or a business or whatever it is um at the end of the day the more private someone is the harder it is to ocean okay the harder it is to find that publicly available information so remember these are things you want to protect and yes some people make it really easy so this post caught my eye this person made it so easy to find information about him uh on facebook posted his current workplace his job his past uh job where he lived um where he was from he had even had a he tagged um

something on facebook that said his name so let's just say his name was john and it said john's house and it had a location uh and so that was probably his house address which was really not great to post furthermore he had notes posted where he had tagged his mom his girlfriend in general just too much information um and of course this post caught my eye because you know he evaded police and i was like oh interesting but at the end of the day no privacy settings right uh the reason i'm showing you these examples are they're takeaways for us people like us right we can learn from other people's mistakes and then you see ones like this

it's a facebook group somebody finds a driver's license and they post it and i've purposely blacked out a lot of blurred out the images and stuff so i don't further expose that person but this is not a good idea uh that's por offsec as written on that slide that's what i i wrote there i drew that on there um it's just that wasn't necessary to post somebody's driver's license on uh open facebook group not not great right too much personal information but again people aren't always thinking about these things let's look at an example of um something i just call leaky documents where some people might not realize their google drive is not always secure so using

a google search here and a site operator that's what i've done in this example you can look for resumes on google drives these types of documents are sensitive as they contain so much personal information it can include your home address right phone numbers emails employment information um and more so this is a good reminder to ensure your settings are secure on the platforms you use not just google drive but in general but ensure your google drive is locked down um but always check your privacy settings i posted a link on the slide for those of you that want to learn more about search operators how to narrow down your search when you're using uh search engines because

that's a that's a really helpful skill set to have to find the results you're looking for all right this one so from the ocean mindset barcodes can provide us with important information some people don't realize that barcodes contain personal data or they can right for example people on social media love posting their boarding passes okay um so in this example number one i was looking at someone's instagram post from post of their boarding pass uh which they posted with a hashtag boardingpass so that's a thing some of these hashtags they just um they're again great for finding information but really poor optic um there this person was using an alias on their instagram account so i didn't

really know their real name i was like okay and it wasn't actually a name um it was uh just some sort of some sort of username um not related to the person i guess um and when they posted their boarding pass they covered their name with their thumb which is shown in uh in the image too obviously i've had to crop it out and all that kind of stuff um they obviously didn't realize that there are online barcode readers where you know people can use which is say number three that screenshot um that will scan a barcode and tell you if there's any data in there and so i did because you know i'm an osin and a privacy

person and i'm always curious what people are doing online i took the barcode entered it into the barcode reader and in image four is the result so it revealed this person's first name their last name the departing airport the destination airport what airline it was flight number um sometimes it will even give you like their frequent flyer points uh their number or whatever access um you might think so what well hackers are known to look for this information and they can hijack accounts moreover they can gain more personal information about that person so this is just a small example to show you that even barcodes can expose you in different ways online here's an example of how people

inadvertently leak information about themselves so social engineering questions you've probably seen them on social media uh these questions people keep answering they're a prime example of over sharing sensitive data online and sometimes some of the questions are not too big of a deal but then there's questions and you'll see on the right screenshot here uh where people provide too much information so where someone somebody could use these answers to guess security questions so like hey what are your siblings names what's your favorite song um it can go on and on right so not all these would uh maybe um fall into you know trying to access somebody's account but there are several right sometimes what's your favorite color what's your

favorite band important important dates um even you know uh to do with schedules or when that person is this is just poor privacy when you're you know answering these questions and then people will repost them and then other people will answer so most people know not to post pictures or credit cards or pictures of their credit cards or disclose sensitive information online but a surprising number of people will post their phone numbers and home addresses on social media it's shocking i see it all the time so again you might ask what's the risk well somebody guessing passwords uh social engineering attacks against you maybe physical harm etc so the takeaway on the slide is pretty

much what you see on the left screenshot stop giving people your personal info to guess your password and security questions bad idea don't do it so you're probably thinking wow okay it doesn't stop so no it doesn't end there there's more the past couple years have been terrible for over sharing people posting uh their vaccine cards it can tell a lot about somebody and i just use this one as an example regardless of what kind of card it is but this is kind of more i guess in a recent thing uh depending on what your vaccine cards say if you if you are vaccinated what it says it could include your date of birth it could tell

you about somebody in terms of what city or what country where they're from um your name and depending again where you're from how much there could be a lot of information exposed not only that there was a huge issue with people doing counterfeit and that kind of stuff but you're making it really easy by posting that card there to just grab a screenshot and go from there the second example packages so people again uh we love shopping we love our amazon all that kind of stuff but a lot of people get the boxes they throw them out throw them in recycling or wherever they put them um with their addresses their names on these boxes

again i mean people are dumpster driving whatever people might be looking for hey i need an address and a name well just go in the recycling bin if you're if you live in one of those buildings uh one of the shared buildings that kind of thing third example in this third example a male was seen wearing his work uh badge when he stormed the capitol uh last january so again and i i believe from the news article he was fired but again why would you do that why would you do either and then we have um things like i just call it sketchy text messages you'll you likely have experienced those phishing text messages uh where they want you to click on a

link in this example i received a text message where there was an ip address noted and a mention of a netflix account so when i searched that ip in urlscan.io it was tagged as malicious activity so there was a huge red flag right there not that i would have clicked on it but i just wanted to know what it said um also i don't have a netflix account in my name so i knew that was a phishing text on top of it so the takeaway first thing don't click on unknown links or addresses via text or email a good website to check for malicious content including searching for websites or ips uh is urlscan.io the one i showed in this

screenshot okay so i know this example um it's not about online privacy but i felt it was still important enough as a reminder because a lot of people will post about these same things on social media posts so not only that uh but what you have to remember that what you put on your say vehicles they can impact your physical physical security as well so car stickers can give away a lot of personal information so whether you're driving through town or your car's parked at your residence think about what you're advertising okay so about your kids what activities they're involved in expensive toys say you have in your garage um if you have a pet their name

where you live work where your kids go to school that kind of stuff again anybody can easily become a target for different reasons but these are things to think about and i'm not trying to get people to be paranoid but i think it's important to care about your privacy so be mindful of what's in the back of your photos you know whether you're on a video conference call that way you just have more control of what you expose okay so these are some tips just when you're sharing content what you want to think about privacy settings don't always work on all platforms facebook for example is leaky privacy settings on facebook are not black and

white okay and i'm telling you that from experience years of experience uh using facebook um for investigations before posting you want to ask yourself if what you posted was leaked would it compromise say your location if it mattered uh your family and then proceed with your actions before i post anything on social media privacy settings or not i ask myself this question and then i proceed i consider all my social media interactions as public even if i have a private social media account um i always think of it as uh you know if it gets out in the public is this going to be an issue for me um also i consider and you should consider

what you post as permanent because whether you're using snapchat instagram whatever platform you like people take screenshots so even though something might disappear after whatever seconds or you know after so many days or or whatnot there still could be a record of it it's easy to overshare online and overlook the risks um but a question think about is what might a fraudster do with this information and the last thing i want to say is remember that everything that you're posting online is building your digital footprint that's really important to remember

sorry uh so some basic tips so what can you do to protect yourself um these are some general tips that you can start with for better online privacy and security you can use strong passwords you know using strong passwords that passwords manager is a start but also think about your browsing habits and you know using maybe a secure search engine like doc.go or startpage.com that don't save and collect your personal information um and the next few slides are about your searching habits so to get a complete list um you can scan this qr code i know that sounds super sketchy for a privacy talk um but don't randomly scan qr codes because they can contain like on the street i

wouldn't just go around scanning these codes because they can contain malicious content this one is just a link to my website because i didn't want to put all the tips on the side they didn't fit um it just links to osentechnics.com um and that's all that is other things you want to think about though is you know don't leave your devices unintended when you you know go to a coffee shop do you just walk away um you know do you lock your screen when you walk away do you use webcam covers do you use a privacy filter sometimes it's important for some of those some of us to care about that kind of stuff so let's talk about search engines

like google chrome that save a lot of information about us and i one thing i do notice is there's a lot of confusion about what incognito mode is um using incognito mode doesn't really protect you it won't save information on the computer that you're using but your isp your internet service provider and other websites can still see your searches so for me it's i'll use incognito when i'm using somebody else's machine you know you're over and you need to borrow somebody i would be like okay i'm going to use incognito that's when i would use it this prevents your history and what you search and the cookies from being saved on that particular device that's all it

does so what else um browser fingerprinting i want to mention this it's a technique used to identify people based on their device settings your browser always divulges some information to websites you visit such as hey the browser you using operating system the exact version of say the browser so whether you've left it um not updated that kind of thing if you want to see what your browser fingerprint looks like you can use one or a couple of the following free services um coveryourtracks.eff.org or say am i unique.org it you can find out say you know see what they see the your ip the type of browser that kind of see it's interesting to see what you look like

when you look at websites especially if you're looking at like personal websites that somebody might be monitoring um i look at it from the perspective of if i'm investigating or researching someone's website i would like to cover up who i actually am versus who i want them to think i am um so some of these websites again they give you the insight into how identify identifiable you are to sites and people um and sometimes it's worth to do a comparison like i'll pick a couple just to see what uh the different sites say about you um again after using some of these sites you might say well what can i do to maybe fix this or change this

okay this is an example from miunique.org so again it'll help you understand what's collected about you when you visit a site and you'll see the the higher the similarity percentage um the better for you because you blend in um so that's kind of interesting but you can give this a try and see how it works for you um another site that i don't think i have on this slide or on the last slide was um is device info.me so device info.me that's another site that also does something very similar so some browser extensions that you can use to adjust your privacy settings there's many but i'll cover these three quickly um there's https everywhere so

they this will encrypt your communication with many major websites so it'll make your browsing more secure it will switch a site from being insecure so the http to secure so that's h t um https the s being for secure privacy badger it will block advertisers and third-party trackers from secretly tracking where you go and what pages you visit so that's another good one and then we have something different user agent switcher this extension changes the user agent which is something that identifies what browsers browser you're using so you can you know and what version and what operating system so with this add-on it helps you change your browser and your operating system footprint i could be

i could be using an ios device on chrome but spoof these details with this extension that's what it does all right so let's see here what else can you do to secure yourself what are some solutions simply security by absence okay not posting the information out there in the first place you can't get hack through what you don't have you know through the services apps that you don't actually have this is a good reminder that if you stop using certain apps sites or whatever it is you want to make sure you delete them don't just say hey i'm off and just leave it there because that information still can be used by people this is part

of cleaning up your digital footprint i've conducted security assessments where i often will find a user's old accounts they never deleted but they're like oh i stopped using it um but they contain a lot of information such as photos associations to people and all that kind of stuff that's why you want to care about that disinformation there's another technique it's called disinformation where you plant some fake information to mix up your digital footprint you can create fake accounts especially if you do have a unique name maybe if you have a common name like mine it is common people sometimes are confused by that but it is common um it helps me kind of hide in some ways

but if your aim isn't common you'll have to put in more effort and disinformation is one of those techniques say for example you search your name and you find information false information about yourself out there perhaps leave it there that's what i would do right um i wouldn't try to correct it maybe the goal is to make attribution to your name difficult educating those people around you this is really important letting people know how they might be compromising their privacy and security and why it matters there's a cool little video here um which shows it's called data to go and some of you may have already seen it it shows how easy it is to obtain

information about people online it's a quick few minute video um but again it's uh you can if you don't feel comfortable with visiting the tiny url i created i created that you can just go into youtube and enter data to go and check it out what else can you do there's so much you can do data breaches they're constant have you checked if your accounts have been a part of a data breach troy hunt has a website called have i been pwned where you can search for emails and phone numbers to see if they're associated with breaches so go run your own and see if you were part of a breach this uh service all also allows you to sign

up for notifications so any future breaches you'll be notified if you find you've been in a breach make sure you go change your password you might want to even go delete the account altogether in some situations it's all about minimizing the data out there about us some useful websites i'm not going to go into details here as i'm getting close to my time um but these are some resources and i've explained what they do uh another one that's not on this is called privacytests.org it's a web browser uh privacy it's a comparison essentially but you can go through these different sites allow you to do different things they're just some resources for you and there's an exercise you can do

number one tip is that majority of awesome people start with ocean or a search engine so try searching your data on google and bing and find ways you can remove this information you know through the contact information on a website if it's there this is one of the easiest ways uh to see what your digital format looks like so start with what you use your name your usernames your emails search your home address and quotes use quotes around your name um add a location so you know uh whatever area you're from and also think of search engines as that low hanging fruit next the next thing you want to think about is those manual searches when you're

into social media go go see what those look like as well and again some more resources here um if you do come across things there's a couple of resources here uh i have there's one from michael bazelle the first one um another one from mike micah hoffman who's web breacher on twitter and joss josh huff who's learn all the things on twitter they provide a bunch of useful tips to clean up your digital footprint um i understand there will be challenges depending on what country you're from like the united states where they don't um they have a lot of public information about their citizens so it's more of a challenge but it's still possible and for those of you that like

documentaries and that kind of stuff this was or is available on netflix the social dilemma is a good awareness film and it shows the many ways social media platforms influence society um it's also interesting that a lot of the former uh a lot of the people they interviewed were former employees of facebook google and whatnot all right final thoughts okay so remember threat actors can use information to their advantage and we need to do better to protect ourselves don't be a soft target by exposing too much personal information or details about your life online and this last one here so here's a recap of my presentation which i will post on twitter if you guys are interested i hope you uh

enjoyed my presentation and learnt a few things here's my contact information feel free to reach out on twitter or you can email me as well at this email address and that's my presentation any questions