Online tracking threats to individuals and organizations

In the latest Cyber Security Awareness Forum, we talked about online tracking threats and their impacts on individuals and organizations. Although our live CSAFs are typically targeted at businesses and employers, this topic covers both businesses and individuals. 

So, whether you are a security industry leader, a CEO, or a self-employed individual with little knowledge of security, this session will be perfect for you either way. The panelists joining me this time are: 

Fletus Poston (FP) – A security champion, Fletus is a Senior Manager of Security Operations at CrashPlan®. CrashPlan® provides peace of mind through secure, scalable, straightforward endpoint data backup for any organization. 

Tyler Sweaney (TS) – Tyler is a Cybersecurity Specialist Account Manager at Global CTI, a Management Service Provider that’s focused on servicing our customers in California.

Ryan Healey-Ogden (RH) – Ryan is Click Armor’s Director of Business Development, he holds a passion for security awareness, education, and technology and how it relates to people

And I’m Scott Wright (SW), CEO of Click Armor, the Gamified Security Awareness Platform and Security Awareness Services Company. Now, let’s learn about online tracking threats and how you can protect yourself as an individual and your business.

There’s also trade secrets for companies as well. You could have a production facility. You don’t want people to know where it is. But if all of your employees are suddenly lighting up a heat map because of their phones or Apple watches, your competition does now know where to look. 

FP: Yes, a lot of devices are smart devices that are constantly pinging you for a GPS signal, trying to triangulate where you’re at, which is great for GPS coordinates. But, when you start logging in with the same account in multiple places, business and personal, now you’re linking your route to work. It’s good to question what apps have location turned on? Does it need to have your location turned on and does it need to know the location just to use a calculator? 

Then there’s network discovery on Apple and Google products. So if I’m on the same network as another iPhone, I see all the other iPhones. So when you select the network, you can spoof the MAC address.

TS: Exactly. I tell everybody to look at their settings on iPhones. Usually, your location is allowed for all of your apps. Disable all of it, most of it you can disable and you won’t notice a difference. If I want to tag an Instagram photo in a certain location, I will turn my location on to the photo, turn it back off. And the same thing with your camera roll. You don’t need access to all my photos all the time. I’ll give you access to whatever I need to send.

There are companies that are data brokers and they have a huge profit incentive to figure out who you are and market towards you. And they’re getting better and better at it, which means that, conversely, we have to get better and better at preventing it, if not just for privacy.

During the panel, we also shared this article form Tech Radar on web tracking. 

What technologies are available to combat online tracking threats?

RH: Faraday Bags. I keep my keys in those. If you’ve heard the news about your car being stolen from a repeaters, Faraday Bags help that. If you want your phone to go black, Faraday Bags also work for that. 

SW: Yeah, SLNT is a company that has Faraday Bags. They’ve got a whole range of things from keys to laptop bags and I think even backpacks.

RH: I’m also personally a DNS filtering guy. So, you use filtering lists to stop the trackers before they even get to your network. You can use external DNS filtering services. I think NextDNS is a good example that you can set up on your own network. So I can stop all trackers, I can stop all ads, I can stop all adult websites, I can stop all gambling.

That’s my number one, and then I still use a VPN connecting out to the external world.

TS: To add to the DNS conversation: Say you’ve got a school or you’ve got a small business or you’ve got a family and you want to have safe browsing, DNS is that in which you can hard code into your computer. They will limit pretty much anything that’s a bother. So, any website that’s mature will never resolve in your environment.

What do employees need to know and do to protect themselves?

RH: The number one thing for employees to protect themselves is education. So, I tell these entity stories to my friends, my family and my neighbours and stuff in hopes of just making them aware. So then they go home and improve their own security. 

So, I say to corporations and companies, they need to take this seriously and they need to understand if an employee knows what’s being tracked, how it’s being tracked, and how it’s being used. 

SW: Then they will be more receptive to guidance, how to protect themselves. If you’re helping them protect their personal information, then they’ll understand better how to protect business information. 

TS: Taking some of these steps and making sure that they are the right steps. PrivacyGuides is a great resource to see what you can do to protect your privacy. Then, my recommendations are get a Firefox browser, stop giving Chrome all the love, Firefox this is better and you can harden it way better.

Then, it always comes down to what is your threat level? Because we could host a four hour webinar on how to harden everything for a new block. But, you need to know what your threat level is and what is important to you. 

FP: One thing that we didn’t talk about as we all talked about browser security is use a browser for different things. So for example, if you use Brave, then Brave is just for my crypto use and another browser is for another activity. 

The cookie is per browser. So only do certain activities in that browser. It doesn’t cross to another browser until you log into that browser with that email. Don’t don’t contaminate. 

–

It’s important that whether you are an individual or a business, you are aware of the possible online tracking threats. As our panelists shared, education and spreading awareness is key in order for your employees or your peers to be able to make informed decisions on their privacy. Watch the full panel on our YouTube channel here.

Click Armor is the first highly interactive security awareness platform, with engaging foundational courses and 3-minute weekly challenges that employees love. We offer content on everything from security basics, phishing and social engineering to passwords and privacy.

Even if your organization already has a solution, there’s a high likelihood that some employees are still not engaging and are exposing your systems and information to cyberthreats. Click Armor offers a special “remediation” package that complements existing solutions that don’t offer any relevant content for people who need a different method of awareness training.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.