Just how much data do you volunteer in social media?

Most of us spend a great deal of time on social media in one form or another. I know that I do for a myriad of reasons. I seek entertainment, spreading humor, gather information, keep up on the daily news that I need to go fact check to make sure I am getting the truth, and even run a micro home business.

We know that we are giving up data to the social media host of course as we provide information in getting the account.

To use Facebook as a generic example (you can really use any social media platform for this discussion.) it will only take a few minutes of scrolling in your ever growing feed to find your self participating in fun interactive memes and discussions.

Have you seen the memes that ask what was the number one song the year that you were born? Well many of us are aware that one of the common security questions is “What was the first concert that you went to?” Oh, so many fall for that one every hour. Even with the wise commenting that it is a security question… sigh, so I and other that are like minded like populating the answers with smart alec responses to pollute the data that the scrapers are gathering.

For all intents and purposes scammers can either post those memes to directly get the responses or they can just pull data in from other people’s posts as long as they can read them. the data that they want? well it could be anything.

Here is where I am starting to take the discussion to help you learn something important. Something that many do not consider. We will call it a value add for your reading this far and actually caring.

Let’s suppose that instead of being a white hat (at least mostly white, or white by day and maybe some shades of gray after hours) cyber professional working for the betterment of humanities cybersecurity… I am a black hat who had relocated to a nation without an extradition treaty with the United States. Why would someone want to do that? Well with black hat cyber skills it can be lucrative and here is a possible option.

Set up a nice server room with a very comfy desk or recliner. Learn how to build databases. They are not hard to learn, they do take forethought to build them effectively to house enormous amounts of data.

At this moment it is very likely that your username and password has been compromised in some data breach in the past. (there are scam emails that rely on this data, I think I have described it in the past) There are places on the web that you can find repositories of usernames and passwords that were stolen and posted for others to use. Sometimes it is free to download and other times, it is for sale.

If I take a few of the free collections, I can add that to my database (think of it as an excel spreadsheet on steroids). Perhaps the file had email addresses and passwords. The low hanging fruit would be to try to access the accounts since so many rarely change their passwords. If I can get in, I might download all of the email and examine it for other data such as your name, location, family members pets, think of all that you have sent in emails. Each of those items get added to the database.

Remember that the initial data gathered was free. Perhaps it COULD have been sold but not for much. The price would be in cryptocurrency so that it is less trackable or at least harder to track. Do not let people make you think that it cannot be tracked, that is movie madness. Maybe you started with 1000 email addresses and passwords.

So you started with 1000 usernames and passwords, and after a few hours of login attempts, perhaps you used a testing script to complete the tests in fifteen minutes. You ended up with the passwords of 100 poor suckers who never change their password. To be very honest, I think that there will be more due to password reuse [link]. So now you have a new table with known good email accounts.

When I was doing ISP tech support, I frequently heard “It is just dumb email, if someone want to get my recipes or bad jokes form my family, they can have them.” Oh, my… what a treasure trove. A few paragraphs ago I mentioned the kind of data gathered from a live email account. So now your tables have linked the person’s name with the email address and if there are signature blocks, perhaps street address, city, state, country, phone number. If you wanted to sell that data, its value has gone up a little.

With all that email that you downloaded, you also identified family members. Those records get copied to another database, this one to use for trying to scam the users family members out of their money as they pay to get bail, medical attention, bail, or who knows what ploy they will use for their deception? Now I have two databases to sell.

Now I try to see if I can log into your social media accounts using those email addresses and passwords. Maybe I am able to get access to fifty of those one hundred? why so many? well, remember that they are already password reusers, so why expect that they will be better with their social media accounts?

Think of your social media account and how many friends that you have there. More data to feed into the master database as being connected to the victim. I do some scrolling through the feed and I see that they identified their first job (clickety click into their records) and their first car was a 79 Celica ((clickety click into their records)… oh look their profile shows that they graduated from Gullible State University in 87. You guess it, (clickety click into their records). This person’s record keeps getting more to it and each added element makes it more valuable. I find more and more family, job history, favorite sports teams. Have you recognized how many security questions may be answered with this data? I may have enough gathered data to try logging into the victim’s bank account, or even open a line of credit after all I know the answers. If I can get into the bank account, think of the transactions I can make. I could buy cryptocurrency online and trade it back and forth through a myriad of wallets or other transactions to make it difficult to track it back.

Now that I have stolen the victim’s money, I can use it to purchase more equipment, or buy more ill gotten data to add to my database, always seeking to build it for a better sale price. When you have thousands of live and accurate records with a ton of supporting information that price tag keeps going up. Remember that when selling data, you sell it over and over. There is no physical inventory to run out of.

Maybe my database was only worth 20 bucks per copy since it was small, but with a little knuckle grease (remember, just typing not actual elbow grease) I improved the data to be worth $500.00/copy.

Remember that there was the second database for scams? I can use AI voice tool to make convincing replicas of the victims loved ones if I can get a sample of their voice. Maybe I called them to a bogus survey to get that sample. Now I can call their mother, using that replicated voice to convince mom that I need bail money. Pick a scam there are thousands of variations.

Since I have all of those email addresses stored from getting into those mailboxes, I can add them to a third database to use for phishing emails. Just spray those email addresses and any other email address that I can collect from the web. Someone running a phishing campaign generally only needs a 1% win rate to stay profitable. (Please for all that you care about watch for red flags and do not fall for these emails) Does your employer have an email contact directory online? Perhaps and org chat that shows the person, their name, email, and maybe their desk phone? (clickety click into their records) yes more tables, with even more data. Those company based records got into another database. they may be handy for other types of attacks. Surveillance phases perhaps to see if I can gain access to the corporate network to obtain yet more data. If I can get into the HR systems, will I find social security numbers nicely paired with all of the other employee data? Some days it can be too easy. Maybe I can access the networked printer in HR. Most modern printers are just computers that print. They have hard drives. Is your corporate printer also a scanner, perhaps used to scan driver licenses and social security cards to process an I-9 form for the IRS? Yeah, there is a hard drive that stores that data in the scanner/copier that might be nice for me to get in to. Driver licenses…. yep, you guessed it…. (clickety click into their records) This data is getting quite valuable now.

With all of this data and being connected to family members… I wonder if I found any adult oriented associations or proclivities during my hunting. [In my profession, I once stumbled onto an employee that I did not know personally soliciting prostitutes via his email.] Now if the victim is not worried about intruders in their email box, this information could be used to blackmail them. How much would they pay to not have all these sordid details posted online? Or how much to prevent their significant other from getting a phone call? Just transfer a certain amount of crypto currency to me and I will delete your record. I wont really delete the record, but I will mark it as used. I will still sell it to others for their use as they see fit.

It isn’t just the big companies that make a killing off of you playing on social media, it is criminals world wide. This is one of the reasons that cyber professionals are well compensated. With what I understand and can do, I would be quite dangerous if I retired overseas. I am here teaching you how to protect yourself. It is where I get my reward, that and any ad clicks that happen in appreciation. Money is good, but as long as my family is housed, clothed, fed, and loved by our dogs… then I am happy.

If you came away with nothing but an understanding of how those silly meme games sneak valuable data out of you then it is a positive step. Stop and think before you reveal personal information. It does not take much to turn it into Personally Identifiable Information.

Do you use read receipts?

Why Read Receipts Can Be a Double-Edged Sword

Read receipts, those seemingly innocuous notifications that inform you when someone has read your message, have become a common feature in our digital communication landscape. However, beneath their unassuming appearance lies a complex web of emotions, social dynamics, and privacy concerns. Let’s delve into why read receipts can be both a blessing and a curse.

  1. Privacy Concerns:
    • Read receipts invade the recipient’s privacy by revealing when and how they interacted with the message. Suddenly, your private communication becomes a public record, visible to the sender.
    • Imagine this: You receive a message late at night, but you’re not in the mood to respond immediately. The sender sees that you’ve read their message, and now there’s an unspoken expectation for a swift reply. Privacy boundaries blur, and you feel pressured to engage.
  2. Social Pressure and Expectations:
    • Read receipts create social pressure. When someone sees that you’ve read their message, they assume you’re available and waiting for a prompt reply.
    • The instantaneous acknowledgment of receipt triggers the expectation of an equally swift response. But life doesn’t always align with digital timelines. Maybe you’re busy, need time to collect your thoughts, or simply want to respond later. The pressure mounts.
  3. Misinterpretation of Silence:
    • Silence doesn’t always mean disinterest. Yet, with read receipts enabled, the sender may interpret your lack of immediate response as indifference.
    • The psychology behind read receipts often leads to feelings of rejection. When you see that someone has read your message, you assume they should respond just as quickly. But life’s complexities don’t always allow for instant replies.
  4. Email Read Receipts:
    • Email read receipts have their own quirks. In the past, you’d receive a pop-up requesting confirmation that you’d opened an email. However, this method has waned due to secret tracking pixels embedded in emails.
    • These tracking pixels, prevalent in marketing and personal emails, silently report back to the sender when you’ve opened the email. Privacy advocates frown upon this intrusion.
  5. The Love-Hate Divide:
    • A 2017 study revealed that around 55% of Millennials and teens use read receipts on their phones. People are split on the issue.
    • Some love read receipts for the peace of mind they bring. Knowing when someone has read your message provides reassurance.
    • Others despise them. They find read receipts stressful, invasive, and perhaps even passive-aggressive.

In conclusion, read receipts are like a double-edged sword. They offer transparency but sacrifice privacy. They create expectations but misinterpret silence. Whether you love them or loathe them, one thing is certain: read receipts have left an indelible mark on our digital interactions12.

As a bonus point for those of us that are subject to random urine analysis as part of our employment, when that email arrives telling us that our number came up, we have two hours form when the read receipt is triggered to provide our specimen. Yay fun huh? so if there is no receipt sent, we can enjoy our coffee to provide a better sample.

Human Firewalls and Their Importance

The Human Firewall: Your First Line of Defense

Imagine your workplace as a grand castle, fortified with walls, moats, and watchtowers. But amidst all the stone and steel, there exists a vital yet often overlooked defense: the human firewall. This invisible shield is composed of every employee—the knights, scribes, and jesters—who interact with the digital realm.

  1. Vigilance and Awareness:
    • The human firewall is not impervious; it thrives on vigilance. Every click, every link, every attachment—these are potential gateways for cyber threats.
    • Employees must be aware of the dangers lurking in their inboxes. Phishing emails disguise themselves as friendly missives, urgent notices, or enticing offers. But beneath the surface lies treachery.
  2. Phishing: The Cunning Deception:
    • Phishing is like a shape-shifting sorcerer. It masquerades as a trusted entity—a colleague, a bank, or even a mythical prince seeking your aid.
    • The bait? A seemingly innocent link or attachment. Click it, and you unwittingly open the castle gates.
  3. The Art of Suspicion:
    • Train your eyes to spot the signs. Is the email unexpected? Does it create urgency? Does it ask for sensitive information?
    • Beware of misspelled domains, odd sender addresses, and requests for passwords or financial details.
  4. Reporting: Your Noble Duty:
    • When you encounter a suspect email, don your armor of responsibility. Report it promptly to your castle’s cybersecurity guardians (usually the IT team).
    • They will investigate, trace the dark magic, and thwart the threat. Your vigilance could save the kingdom!
  5. Collective Defense:
    • Remember, the human firewall is not a solo act. It’s an ensemble—a symphony of cautious clicks and wary glances.
    • By reporting, you protect not only yourself but also your fellow knights and jesters. Together, you form an unbreakable chain.

Reporting Suspect Phishing Emails: A Heroic Quest

Now, let’s embark on a quest. Imagine you receive an email from “PrinceNigerianScam@notascam.com.” The subject line reads, “Urgent: Inheritance Awaiteth!” The prince claims you’re the long-lost heir to a fortune. All you need to do is send your bank details.

  1. The Call to Action:
    • Pause. Breathe. Channel your inner hero. You suspect foul play.
    • Click not the link! Instead, wield your mouse and report the email.
  2. The Reporting Ritual:
    • Seek the “Report Phishing” button (it’s usually a shield or a flag). Click it.
    • Describe the email’s malevolence: “Suspicious sender, dubious inheritance, smells fishier than a mermaid’s lunch.”
  3. The IT Wizards:
    • Your report flies to the IT wizards. They decipher its runes, analyze its hexes.
    • If it’s indeed a phish, they cast counterspells—blocking the sender, fortifying the castle.
  4. Your Legacy:
    • You’ve done it! You’ve thwarted the sorcery. Your coworkers cheer, “Huzzah!”
    • Your legacy? A safer castle, a stronger human firewall.

Remember, dear knight of the digital realm, your vigilance matters. Each reported email strengthens the castle walls, shields the treasury, and keeps the dragons at bay. So, raise your virtual sword, and may your inbox be forever free of phishing spells! 

Credential Stuffing

I know that you must get quite tired of hearing about your password. We tell you to keep it strong, use multi-factor authentication, blah blah blah…

We often hear the same kinds of responses back, but it is just my email… I have nothing of interest in there. Yes, we know… and we sympathize. In the end we are just trying to help you. I have had other posts about the significance of strong passwords, I have talked about password lockers/services.

Lets talk about a different direction. Credential stuffing. Now, I am going to admit that the phrase was one that I had seen, but never looked into. As you can imagine, in my role, I encounter a ton of new terms and phrases and often do not have to time to keep up on them all. I will try to do a better job of selecting one and sharing it with you so that you can get nuggets of skills along the way with me.

When we have talked about passwords in the past, I have mentioned that when companies have their networks get breached and data is stolen, sometimes that data is our personal data, but sometimes it is our username and passwords.

Since we on the whole (myself included but I am getting it fixed) are horrible for password reuse, this makes credential stuffing a danger.

So Mr. Blackhat gets their hands on a data dump, they then build a spreadsheet with your email address(es) and the password(s) that you have been known to use. Since the majority of the United States banks at one of a few national banks, they start testing to see if they can log in. if they can… great!

Fortunately banks are getting smarter and are pushing us all to more secure login methods. If you bank is behind the times, AND you use one password all over the internet, you may well become a victim.

I wish I could tell you how many times I have seen “my [social media account] got hacked”. They were probably not hacked at all. they likely either fell for a credential harvester scan, or… were reusing their social media account password on other services that were compromised.

This brings us back to the common pleas of the cybersecurity professionals. Please, PLEASE, use strong and unique passwords and when you are able to, enable multi-factor logins. Yes, it is that important, unless you feel that donating your funds to who knows what country is a suitable form of charity work, one that you cannot even deduct form your taxes.

Why is it dangerous to click on a random QR code?

Scanning a QR code itself is not inherently dangerous. QR codes are widely used for various purposes, such as providing information, accessing websites, making payments, and more. However, there are certain risks associated with scanning QR codes that can make them potentially dangerous if caution is not exercised. Here are a few reasons why scanning a QR code can be risky:

Malicious codes: QR codes can be designed to contain malicious content, such as links to phishing websites, malware, or other harmful exploits. Scanning such a QR code can lead to your device being compromised, personal data being stolen, or unauthorized access to your accounts.

Fake QR codes: In some cases, attackers can create counterfeit QR codes and place them in public spaces, on advertisements, or even on legitimate products. These fake QR codes can be used to redirect users to malicious websites or trick them into providing sensitive information.

URL masking: QR codes can hide the actual destination URL of a website or an application. Scammers can exploit this by creating QR codes that appear to be harmless but actually lead to malicious websites. This can be used for phishing attacks, where users are tricked into entering their login credentials or other personal information on a fake website.

Malware-infected apps: Scanning a QR code might prompt you to download a mobile application. It is essential to be cautious about the source of the app, as it could potentially be infected with malware or have malicious intentions. Unauthorized app downloads can compromise your device’s security and privacy.

To protect yourself while scanning QR codes, consider the following precautions:

Verify the source: Ensure that you trust the source of the QR code before scanning it. Be cautious with codes in public places and advertisements.

Use a reputable scanner: Install a reliable QR code scanner from a trusted source. These scanners often have built-in security features that can detect and warn about potentially malicious codes.

Examine the URL: Before scanning, take a close look at the URL displayed after scanning the code. If it seems suspicious or different from what you expected, it’s better to avoid visiting the website.

Be wary of requests for personal information: Avoid entering personal or sensitive information on websites or applications accessed via QR codes unless you are certain about their authenticity and security.

By being vigilant and exercising caution, you can minimize the risks associated with scanning QR codes.

Regenerate response

Cybersecurity Policy

What is a cybersecurity policy for?

A cybersecurity policy is crucial for small businesses due to the following reasons:

  1. Protecting Sensitive Data: Small businesses often handle sensitive customer information, such as personal and financial data. A cybersecurity policy helps establish guidelines and procedures to protect this information from unauthorized access, breaches, or theft.
  2. Preventing Data Loss: Data loss can occur due to various reasons, including hardware failure, natural disasters, or human error. A cybersecurity policy can include backup and recovery protocols to ensure critical data is regularly backed up and can be restored in case of a data loss incident.
  3. Mitigating Cyber Attacks: Small businesses are increasingly targeted by cybercriminals due to their potential vulnerabilities. A cybersecurity policy provides a framework to identify and address security risks, implement preventive measures, and respond effectively to cyber attacks, minimizing the potential impact on the business.
  4. Building Customer Trust: Demonstrating a commitment to cybersecurity through a well-defined policy helps build trust with customers. When customers perceive that their data is handled securely, they are more likely to engage in transactions and share sensitive information with the business.
  5. Compliance with Regulations: Depending on the industry and location, small businesses may be subject to various data protection and privacy regulations. A cybersecurity policy helps ensure compliance with these regulations, avoiding legal repercussions and potential fines.
  6. Employee Awareness and Training: A cybersecurity policy educates employees about their roles and responsibilities in maintaining a secure work environment. It outlines best practices, such as strong password management, email security, and safe browsing habits. Regular training and awareness programs can significantly reduce the risk of human error and inadvertent security breaches.
  7. Safeguarding Business Continuity: A cybersecurity incident can disrupt business operations, leading to financial loss and reputational damage. A well-designed policy includes disaster recovery and incident response plans to minimize downtime, recover from disruptions efficiently, and restore normal operations as quickly as possible.
  8. Vendor and Third-Party Risk Management: Small businesses often collaborate with vendors and third-party service providers, introducing additional security risks. A cybersecurity policy establishes criteria for evaluating the security posture of vendors and outlines expectations for protecting shared data, ensuring that external partners maintain adequate security measures.

Overall, a cybersecurity policy acts as a proactive measure to mitigate risks, protect sensitive information, and ensure the long-term sustainability and growth of a small business in today’s digital landscape.

SANS Security Policy Templates

For those in the cybersecurity industry, we all know the name SANS. They provide excellent (but quite spendy) training. I have been fortunate enough to attend one of their courses and will take more in the future due to my day job.

SANS is a great resource, for today’s subject, we are talking about security policy.

A collection of free use documents that SANS makes available for organizations. Look at the collection and see if any may help you build the strength of your organization. They have a robust community and the information that they provide is worthwhile.

General Policy Files:


Acceptable Use Policy:


Password Policy:


Password Protection Policy:


Email Policy:


Ethics Policy: (this one is retired but has worthy sections to review and possibly implement)


Depending on the input I get on this post, it may continue to evolve.

What is malware?

Malware, short for malicious software, is any type of software designed to harm, disrupt, or damage computer systems, networks, or devices. Malware can be created for a variety of purposes, such as stealing sensitive information, gaining unauthorized access to systems, or damaging or destroying data.

Some common types of malware include viruses, worms, Trojan horses, ransomware, spyware, and adware. Each type of malware has its own specific characteristics and methods of infection.

Viruses are programs that infect other files on a computer and can spread to other computers via networks, email attachments, or infected websites. Worms are similar to viruses but can spread independently, without the need for a host file.

Trojan horses are programs that appear to be legitimate but contain hidden malicious code. Ransomware is a type of malware that encrypts the victim’s files and demands a ransom in exchange for the decryption key.

Spyware is a type of malware that is designed to spy on the victim’s activities, such as monitoring their keystrokes or stealing sensitive information. Adware is a type of malware that displays unwanted advertisements on the victim’s computer.

To protect yourself from malware, it’s important to use antivirus software, keep your software and operating system up to date, and be cautious when downloading or installing software from the internet. Additionally, avoid clicking on suspicious links or opening suspicious attachments in emails or messages.

What are red flags when it comes to phishing?

There are several red flags that can help you identify a phishing email. Here are some common ones:

  1. Sender’s email address: Check the sender’s email address carefully. Scammers often use fake or spoofed email addresses that may look similar to a legitimate email address but contain spelling mistakes or extra characters. Also, be cautious of emails that appear to be sent from well-known organizations but are sent from free email services such as Gmail or Yahoo.
  2. Urgent or threatening language: Phishing emails often use urgent or threatening language to create a sense of panic or fear in the recipient. They may claim that your account is at risk or that there has been suspicious activity and ask you to take immediate action.
  3. Suspicious links or attachments: Be cautious of links or attachments in emails, especially if they are from unknown or suspicious sources. Hover over the link to see the URL it is directing you to, and check for misspellings or unusual characters. Do not click on any links or download any attachments that seem suspicious or unfamiliar.
  4. Request for personal information: Phishing emails often ask for personal information such as passwords, credit card numbers, or social security numbers. Legitimate organizations usually do not ask for this information via email, so be cautious of any requests for personal information.
  5. Poor spelling and grammar: Phishing emails may contain poor spelling and grammar, as scammers often operate from non-English speaking countries.

If you notice any of these red flags in an email, it’s best to delete the email and not click on any links or provide any personal information. It’s always better to err on the side of caution when it comes to suspicious emails.

Password strength is important

Password strength is important because weak passwords can be easily guessed or cracked by attackers, which can lead to unauthorized access to your accounts, identity theft, financial fraud, and other malicious activities.

A strong password is one that is difficult for attackers to guess or crack, even with automated tools. It typically consists of a combination of uppercase and lowercase letters, numbers, and symbols, and is at least 8-12 characters long (or longer). Using a passphrase made up of multiple words can also be a good way to create a strong password.

A weak password, on the other hand, is one that is easily guessable or can be found through brute force methods such as dictionary attacks or password cracking tools. Weak passwords often consist of common words, names, or easily guessable sequences like “1234” or “password.”

Using a strong password is important because it can help to protect your personal and sensitive information from being accessed by unauthorized users. Additionally, using unique and complex passwords for each account can help to prevent a single compromised password from leading to multiple account breaches.

To ensure password strength, it’s recommended to use a password manager that can generate and store complex passwords for you, enable two-factor authentication whenever possible, and regularly update your passwords to ensure maximum security.

What is smishing?

Smishing is a type of cyber attack where an attacker uses text messages, also known as SMS (Short Message Service), to trick a victim into giving away sensitive information such as credit card numbers, passwords, or other personal data.

In a smishing attack, the attacker usually poses as a representative from a legitimate organization, such as a bank or government agency, and uses social engineering techniques to gain the victim’s trust. They may claim that there is a problem with the victim’s account or that there has been suspicious activity, and ask for sensitive information to resolve the issue.

Smishing attacks can be especially effective because text messages are often perceived as more trustworthy than emails and can create a sense of urgency or fear in the victim. They may also use links or attachments in the text message to download malware onto the victim’s device.

To protect yourself from smishing attacks, it’s important to be cautious when receiving unsolicited text messages and never give out sensitive information through a text message unless you are sure of the sender’s identity. You can also verify the legitimacy of the message by contacting the organization directly through a trusted channel, such as the phone number listed on their official website. Additionally, enabling anti-phishing and anti-malware features on your phone can help to prevent smishing attacks.