November 2, 2017
The ‘Olivia’ Experiment Part II: A Personal Security Crash Diet

Editor's note:  For this series of articles, it is technically written by an anonymous employee at Rapid7 who is referred to as "Olivia" for this series. Tod is recognized as the author of this series since he was involved in its creation.

Hello, I'm Olivia. I'm the anonymous employee from Rapid7, who has been participating in a month-long experiment called a "crash security diet." The goal is to identify any security risks that I might be exposed to and to test out any recommendations to improve my situation. We are publishing the findings in a six-part series on VentureFizz in reference to the recent National Cyber Security Awareness Month (NCSAM). If you’re just tuning in, check out part one on VentureFizz to learn more of the details on this experiment.

I’m here to tighten my belt, metaphorically speaking, when it comes to different security practices. I have been testing out various security recommendations to decipher what’s realistic, what’s really helping, and what’s reserved only for the leanest, meanest security machines. The first post was all about maintenance – software updates, passwords, and backin’ it all up – aka all the semi-tedious, yet impactful chores that shrink your internet footprint. 

“If a tree falls in the forest and nobody hears it, did it make a sound?” Except replace your ears with thumbs and the forest with an airport and you’ve got this week’s two-for-one special: traveling and social media. The two are pretty closely linked as far as use and sharing, so I’m going to consider them together this week.

In the days of yesteryear, taxis and hotels were the standard. In 2017, the millennial era of travel, it’s all about ride sharing (Uber, Lyft, and other local options) and Airbnb. I opted for both of these relatively new services to give a security comparison to the still omnipresent standards of yore.

Getting There

When I think about taking a taxi vs. a ride share service, my first concern is physical security. For me, the untraceable nature of a taxi is much more frightening to me than an Uber or Lyft. I love that there’s a record of where my car’s been, if anything were to happen. However, using a ridesharing app means…a record of where I’ve been. That location data paints a pretty obvious picture of where I spend my time. For me, it’s worth the trade-off for physical safety.

That said, if you use a more local ridesharing app while traveling, it doesn’t hurt to delete the app and its data when you’re back home.

WWW: Wi-Fi While Wandering

Almost cliché at this point is the chorus of “what’s the Wi-Fi password” immediately upon entering cafes, restaurants, bars, friends’ houses, you name it. Politics of establishments feeling obligated to pay for shared Wi-Fi at the cost of a coffee/shaming patrons who want to cut down on their data usage aside… the reality of the situation is that we live in a connected society. And when traveling without access to home Wi-Fi, the need is really real. But how do you stay safe while staying productive?

Hotel Wi-Fi is pretty universally dicey (same goes for most public spaces). Almost all have public Wi-Fi and “private” Wi-Fi you log into from your room…either of which can be easily spoofed, meaning mimicked convincingly so you think you’re logging into theirs, but are really making friends with an evil access point full of DNS poison. Again, unless you’re die-hard and jet-setting with your own router, it’s pretty hard to avoid these networks. So, use bar rules when in Rome, a hotel, or an actual bar – be smart, be careful, and forget (networks) quickly.

The most secure option for using Wi-Fi for important information is a Virtual Private Network (VPN). This creates a direct, secure connection on top of any, especially questionable, networks. I have one for my work laptop (security company, duh). There are also several services that you can use for private laptops and phones. Private Internet Access is a delightful and affordable choice, but there are tons out there to choose from.

Social Sharing

For the social sharing diet, the goal was to cut down on the risk associated with personal posting. The exposure from indiscriminate social posting can be broken down into three motivations:

  1. Please rob me – whether on vacation or out for the night, if you’re a live poster on open social media, you’re also creating a minute-to-minute guide for potential thieves. When you’re at work, when you’re on vacation, what valuables you have… the list goes on. All the better to steal your stuff, my dear.

  2. Stalkers – no, this does not mean “omg I’m such a stalker” because you looked at the Instagram of a new acquaintance/ interview candidate/ ex’s best friend’s sister. While it may be the same basic exposure, the real risk is stalking with purpose of intimidation, fear, and potential harm.

  3. Spam & Bots – having an account private gets rid of the Bexckyxx69 follows and diet pill DMs, or at least makes them request your attention.

1 and 2 are somewhat rare and not intended to induce paranoia, and 3 is irritating, but not sinister (even if you do think marketing is ‘evil’). Like all security measures, social sharing is a trade-off between security/privacy and ease of use. Ultimately the choice is yours, so I reviewed my accounts with a max security lens to make it easier (if not at least entertaining) for you.

Instagram and Twitter, while different media, are largely the same as far as sharing goes. First of all, I made both of those accounts private since both were publicly scrollable. While it’s easier to keep pithy observations and retweets vague to avoid pinpointing location, photos often contain richer, identifiable detail. To address the “please rob me” concern, despite all the boomerangs, sunset pics, and concert videos I took while traveling, they’ll all be posted #tbt now that I’m back home. I wouldn’t say either of my accounts are incredibly personal, but it would definitely be possible to piece together my life in alarming detail by perusing my 140-character thoughts and filtered photos. Rather not. Turning location sharing off in the settings for these apps is almost not worth mentioning, but there it is, mentioned.

On Snapchat, where the only option is real-time sharing (no #tbt here), there wasn’t a ton of concern for me since the audience is limited to approved friends. For the sake of the diet, I did go through my address book to weed out people with whom I don’t interact and definitely don’t need to be privy to my singing along with All I Want for Christmas is You.

My Facebook was already pretty locked down, but turns out when you search photos of me, tagged photos of me from an aunt – even ones that I’ve declined to add to my profile – show up for anyone. Pretty benign as far as things go, although it’s not ideal to have anyone be able to see a catalog of semi-embarrassing photos of me.... And yet, the only way to address this is with a quick, maybe uncomfy conversation, and some education on FB security preferences.

Stay tuned to VentureFizz as my “Security Crash Diet” continues to roll on!  

Tod Beardsley is the Research Director at Rapid7.
VentureFizz Location(s):