The threat of digital spying is growing at a rapid rate, generationally, more and more are creating an online footprint. As more people get mobile devices and attach to the public Internet, there are more opportunities for attackers to conduct surveillance on selected targets. Your identity can be stolen. You finances can be impacted. Your safety can be threatened. All of this should concern you and enough so that you practice operating safely on the Internet, in social media sites, and as you use your mobile device.

When we discussed how easily your credit card data could be stolen, this did not mean carry around a stack of cash everywhere you go. That too creates a risk. What exposing you to the risks should do is, train you to minimize them.

Information privacy should be practiced as much as possible. If you want something to remain safe, it’s best not to talk about it, record it, or write it down. If you do so, then you should consider that it could be at risk. This is incredibly difficult to do. There are things that we must simply record and write. As you navigate from place to place, consider that your actions are being recorded as seen in Figure 8.1. You’re on video camera; your actions are logged so how do you keep your information private? To keep your information private, you need to secure it the best way possible.

To secure your actions, your identity, and your privacy, you need to learn general security practices that we will cover in this chapter. Some of them may seem outlandish; however, you be the judge. You can choose to practice some of them, or just use them as suggestions. However, one thing is true; if you become the victim of spying, identity theft or an invasion of privacy, and you’re also impacted financially, you may find yourself reviewing this chapter or perhaps the entire book to learn or re-learn ways to safeguard against such attacks.

You can limit exposure by considering what you post online. You can limit exposure by paying in cash instead of by credit card and use specific credit cards with fraud protection in places that you do not frequently or often visit in order to track fraud if it takes place. Check your statements often, and review for any possible misuse. There are many ways you can change your habits so that you can better protect your most valuable asset: you.

As seen in Figure 8.2, your information can be taken from you without your knowledge – physically and digitally. Ensure that you are aware of your surroundings, keep your valuables secure. Your personal information can be stolen and used against you physically as well as in the digital realm.

Obviously, due diligence is a general term whereas, more specifically, there are actions you can take to secure yourself from the threat of identity theft:

All of these techniques may not eradicate the threat; however, it minimizes the landscape. Be safe, consider that there are threats in the world, and attempt to safeguard yourself, others you care for, and your personal and private belongings.

There are general guidelines to “hardening” any systems, software, hardware, or application you use. Most come with details on how to do this; however, some do not. In these cases, most restrictive is always recommended and then open up or loosen these restrictions as needed.

Basic system hardening guidelines are as follows:

In theory, you should use encryption whenever possible. You should encrypt data so that if stolen, it cannot be used. Using strong encryption is recommended since weaker versions can be easily cracked. Encryption can in fact be broken, so always consider that this is not 100% secure whenever you use it.

Passwords should always be used and it’s recommended that you use strong passwords. This means that you should not use dictionary words, things that can be associated with you (kids and pet’s names as an example), or any other easily identifiable information that can be used to guess your credentials. Generally, a password should contain a mixture of letters and numbers, upper and lower case letters, and special characters if possible.

General reconnaissance and surveillance protection comes in the form of due diligence also. You should always make sure that you are aware of your surroundings and look for things that look out of place. A great example would be if you see that while driving, a car or van behind you is taking the same path as you but attempting to stay out of view. This can be seen by the vehicle not following directly behind you, but a few cars away. A great way to validate this is to make a turn off your normal path and see if the vehicle still remains behind you. A way to protect yourself may be to drive to a police station nearby and park out front.

This may seem scary but believe it or not, it happens. You may have an ex-spouse or mate tracking you and what you are doing. This is also possible if you are in a current court case with someone and they are attempting to gather information on you and what you are doing. For example, if you go to “happy hour” on a Friday evening and attempt to leave the bar and drive. They (or a private investigator) may be videotaping you for evidence.

Although uncommon, there are those out there who may wish to cause you harm randomly, so the same rules apply. Be aware of your surroundings and look for things that are out of place.

General digital surveillance mitigation is similar, whereas with someone physically following you, what is following you are the cameras. In this case, the best form of mitigation is to attempt to be aware of where the cameras are and avoid them. One may ask, why you would want to avoid cameras and that may be answered by two simple answers: either you want what you do to remain private for good reasons or for bad. It may also be because you are attempting to thwart detection and do not want your actions recorded. Either way, there is little you can do to avoid detection without physically or electronically disrupting the cameras, and avoidance is your best method.

To mitigate information gathering in general, attempt to practice restraint when posting, putting information online, or giving information away. The public Internet is a goldmine for those conducting intelligence. When used in non-malicious ways, the Internet can be a source of a lot of information. Researching a homework assignment, locating the best travel path, or getting movie times are all simple examples of what can be done in seconds without having to leave your home or pick up your phone. When used for good reasons, the Internet can prove to be extremely helpful; however, when used for bad reasons, the Internet can be used to gather information to conduct attacks.

Another issue with the Internet is that once you put something on a server such as a blog post, a data file, or other source of data, it could remain there for a long time, possibly forever. Data backups collect data from servers and archive it. Data can also be added without your knowledge. In the world of social media, it’s common for people you connect to and with to, and “post” data such as an old picture of you. It can also be done in real time. For example, a favorite bar you visit frequently can quickly be online news if someone posts about it, tags a picture of you within it, or posts that you are in a group at a certain location. Attackers can use this information to ascertain your habits, favorite frequented places, and many other facts about you.

Data can also be doctored. Pictures can be digitally edited, words can be manipulated, and if someone has stolen your identity and posing (and posting) as you on the Internet, could cause serious issues for you. Information is also added willingly, almost too willingly by many. Social media sites today encourage those who are part of them to post data, connect to others for no reason other than to increase their numbers, and like things you normally wouldn’t ever comment on outside of the digital world.

Without any effort at all, your information can be added to the publically searchable Internet within seconds, stay within it indefinitely, and even if you think you have had it removed, it could still be archived somewhere for retrieval. To add, this does not include the data that can be obtained from globally interconnected devices that can also provide those who seek information a source to get it. Servers cache data as an example to speed up Internet browsing and if this system was hacked, could reveal the browsing habits of an entire community as an example.

We should be concerned as a society that if those who wish to do us harm, need only to first have an Internet connection and second a “will” to be interested in gathering data on you, that’s all it takes is a few clicks of their mouse to obtain it. To mitigate, restraint is the key. Observe others as well, who may put information online about you and attempt to have it removed if you do not want it online.

Physical security is equally important. When at work, take the security policies enforced in your organization seriously. No, do not hold the door open for someone you do not know to let them into your office suite. Yes, it’s great manners; however, there have been dozens if not hundreds of penetration attacks conducted by allowing someone into an office suite by simply holding the door for someone to be nice, they do not need to use the biometrics or card reader and you have just been hacked.

Be aware of your actions. Do not allow someone to dig through your trash. Do not allow someone to watch over your shoulder. You can protect yourself by destroying information such as using a shredder as seen in Figure 8.3.

Shred or burn important papers you decide to trash and do not leave anything that can be reused. Do not sit somewhere with your back facing an open crowd, and do not do personal or private work on your laptop or phone, mobile device, or pad if you cannot safeguard it from being overseen.

When you are talking to someone on the phone, be aware of your audience. Could you be on conference? Could the phone be tapped? Can the room you’re in be bugged? Don’t believe it can happen? Hopefully, by reading this book and others like it, you can start to realize that yes it does happen and it happens often.

When opening e-mails or receiving texts, take the extra time to perform a seconds worth of due diligence. Check the entire e-mail header, review the domain name in which the e-mail was sent, and validate with a phone call to the originator based on a trusted source (not from the e-mail itself) that this was in fact sent on purpose and not a scam.

Do not openly trust. Since this is tough to do, it’s no question as to why this is one of the biggest attacks performed today and why it’s the most difficult to mitigate. As you can see, there are many ways to mitigate this form of attack but it comes down to not trusting everything you see and hear and trusting everyone you do or do not know. It simply comes down to verifying and validating things and ensuring that they are safe if possible.

There are many definitions for social engineering. As we just discussed, manipulating human control in order to gain unauthorized access is one of them. Another could be, using a human to provide needed information to gain access to trusted resources. When considering technology specifically, it can sometimes be defined as malware used to trick a user into providing trusted data. In all of these examples, manipulation and trickery are key words used to define the basic underlying principles of social engineering.

In relation to information gathering, social engineering can be used to gain technical data such as passwords, physical and logical access to resources, and many other pieces of information that could be used to conduct a larger attack. Another example, you trick someone through simple conversation to produce answers you need. For example, I place a call to you from a spoofed phone number that appears to you to be from a trusted source. I then tell you things that relate to you, us, or our conversation so that I can gain your trust. By asking specific questions and getting answers, I may be able to ascertain information from you needed to do another task, such as your account information to get into a personal website or bank account. This can then be leveraged into the digital world by exploiting the gathered information.

It is difficult to mitigate social engineering attacks. It strikes at the very root of how human beings treat each other; defending against social engineering means that you need to be aware of your surroundings, who you are dealing with, and no, you cannot trust everyone you meet or know. In fact, social engineers scout for this overly trusting, gullible behavior in people in order to know who to manipulate and how to manipulate them. They are considered easy targets. An act of kindness could be, in fact, the launch of an attack as seen in Figure 8.4.

If you could openly trust everyone and everything, there would be no reason for security. No locks on doors and banks would leave their vaults wide open. The fact is that historically, this is not the case and security grows as an industry exponentially every year. As we have covered, there is a thin line between being overly safe and being paranoid. That does not mean you should not have faith in people and believe that you can trust them; it just means precautions are in order for your benefit and the benefit of your finances, your loved ones, and your safety.

You can remain safe by being aware. Be aware of your surroundings. Who are you talking to, who can be listening?

Are you typing something? Are you being recorded? If you remain aware and vigilant about your own personal security, you will understand how to mitigate social engineering attacks. Do not openly trust those you do not know and think about the actions of those you do.

When you are tracked with your mobile phone (or device), you are essentially giving your exact geographical position away to your telecommunications carrier. The radio towers that you use to obtain and maintain your signal are also used as reference to your exact position. Global positioning system (GPS) technology also aids in placing your location, which we will discuss further in the chapter. Carriers can also track movement based on technology called location-based services. This technology can be used to help assess specific coordinates as you use your mobile device. We will also discuss this technology further within the chapter.

In this chapter, we will also address how the US government is taking advantage of an outdated law on privacy and technology to track Americans. If you use your mobile phone, it will register its position with cell towers every few minutes, whether the phone is being used or not – and mobile carriers are retaining location data on their customers. As the government collects and uses this data, a record of your movements is being kept without your permission or knowledge. Why is spying on mobile devices so important to understand? If you are a victim, let’s look at what could be at risk:

As you can see, with a simple application, your privacy is no longer secure and everything you say and do as well as where you go can be tracked. Pretty scary don’t you think?

Another interesting trend emerging in technology today is the “physical tracking” of items with devices. Other devices exist that help those who are forgetful. New devices are coming to the market that allow you to place trackers on items you would normally misplace, for example, a set of keys. More commonly, tools are being sold to “track your pets” with sensors that although only operate with Bluetooth and can only be tracked so far, some offerings can track you within larger radiuses. Another growing trend is with wearable technology where a new market has opened. This technology will allow tracking and the data collected is used with an application so that you can track your health, track your diet, and track your medical condition. There are many devices on the market today that can be placed on a target to “track” them without their knowledge as well such as the locator seen in Figure 8.5.

Other physical tracking such as finding a lost phone has been around for some time now; however, the technology has been evolving. By registering a device online, offerings such as Apple’s MobileMe (iCloud) allows for the recovery of a lost or stolen device by tracking it. Our vehicles are now coming equipped from the factory with tracking devices installed in them. LoJack that has been around for years is also another form of an advanced anti-theft device that allows for the tracking and recovery of a stolen car. LoJack can also be used with other devices such as laptops. Surveillance gear to track someone physically is also emerging, such as USB devices that can be placed within a car or on a person (perhaps in a pocketbook) to track movement of an individual without their knowledge.

As you can see, tracking is nothing new and it’s growing at an alarming rate. It’s growing in availability and ease of use. It’s being offered as a service for the forgetful and it is appear as a standard feature in devices everywhere. This goes beyond the tracking being done without your knowledge. Within the chapter we will also make reference to tracking without technology, stalking, etc. however the bulk of this chapter will revolve around the technical tracking devices used to physically bug you with or without your knowledge.

When you are charged with a crime and go through the process of getting fingerprinted, you are put into a database so that you can be tracked. Since fingerprints are unique to an individual, it seems likely that if you are caught after being fingerprinted, you will be found to be a possible target of investigation if your prints show up at another crime scene. Similar to physical human fingerprinting, devices can also leave a unique mark. Device fingerprints can be tracked easily; however, there are ways to secure against them. With technology you need to understand that there are unique characteristics that pinpoint or associate you to a device.

As you can see, tracking is done everyday, in many ways so that devices you use, places you go, and things you buy can all be tracked. It is possible that when you leave your home in the morning and go to work, go out to lunch, and then back to work and return home, your entire day and everything you have done can be tracked. The credit cards you used, the calls you made, and the ticket you got on a busy intersection can all be used to track your patterns, your movements, and your ultimate location.

There are also different ways that you can be tracked, some ways are application specific and others are physical device specific. If you access a server to download files, you likely did this via IP-based devices that then connect to another IP-based device. Yes, the addressing can be spoofed; however, this can be easily mitigated if you know what to look for. Also, you need to consider that every movement you make in an application-centric world can be logged that allows system administrators to look through, log, and review activity. If you are at work and visit a questionable website against company policy, it’s likely you can and will be found doing so.

You can also be tracked by wearable technology. Ensure that you practice safety when using these devices and the best mitigation techniques is to first limit your exposure, limit your digital footprint, and, if you do use the technology, take every opportunity to harden it as per the systems guidelines.

As we discuss these topics and how they relate to reconnaissance and surveillance, it will become evident that you are now always on camera. We carry one with us everywhere we go. There tends to be a camera located everywhere. Let’s consider this example: you wake up and get ready for work, while in your home you are on camera as your home has an active internal security surveillance system. You check your e-mail before you leave the house on your laptop configured with a webcam. You pack up to leave and grab your mobile phone and tablet and get into your car. Your drive to work roughly passing 10 traffic lights before pulling in and parking in the parking garage. There is video surveillance feeds in the garage. You enter work and each entrance/exit and floor contains surveillance equipment. You dock your work laptop (with integrated webcam) and get to work briefly checking your mobile devices that are directly sitting next to you. Each time you leave your desk to move within the office, you take your phone with you. You leave for lunch and go to mall to eat in the food court with a few friends. The mall has video surveillance feeds. After work, you drive back home (10 traffic lights) and settle in for the evening. After dinner, you decide to load a game on your Microsoft Xbox and join a few friends online to play games. After, you check your social media sites online and Skype with a friend.

We can go on and on but I think you get the picture. You are on camera 24 hours a day and this does not include the government’s ability to pinpoint and track your whereabouts via satellite. This does not include military or law enforcement being able to use satellite tracking. Digital surveillance is here to stay and will probably become more invasive over time so learning how to mitigate threats and be aware of new threats is the key to regaining your privacy.

Make sure that you are aware that webcams can be exploited. Some put a piece of tape over their cameras on their systems if they do not use them. Other’s run anti-malware software to ensure Trojans are not running on their system. Regardless, ensure that you protect against this threat or your private and personal information can be exploited.

As we see, data tracking and doing forensic work in the digital domain can prove to be helpful; however, it is not always a guarantee that data can be kept secure. As many security analysts learned in the past decade, all of the security measures in the world did not stop a perpetrator from removing classified information about the US nuclear weaponry with a thumb drive. While working as a security analyst, you may be asked to investigate data loss or theft. Data loss prevention is the activity where you or your business entity does whatever possible to safeguard from data leakage or theft. With data everywhere, safeguarding it is a considerable challenge. Data leakage, loss, or theft causes one major problem – it is no longer secure or secret.

Data theft is also a problem that is considerably getting worse. As mobile devices are stolen, data is taken on thumb drives or websites are hacked and credentials are leaked; more and more attackers are able to spy on those they target or find targets through the data they acquire. This data can have confidential information such as passwords to financial accounts, pictures of loved ones that can also become targets, and/or medical information you wish to keep secret.

Data theft can happen in many ways. Physically, a pocketbook or wallet can be stolen. Your phone or mobile device can be taken. Your laptop can be stolen. The data could be with a service provider and they could potentially become a target inadvertently making you the next target. So why is this such an issue when it comes to protecting your assets from surveillance, becoming a target and/or victim? Your data if not protected can be used against you. For example, if your mobile device is lost or stolen and the attacker gains access, they can pose as you which is identity theft. They have access to your private information that can be used to launch a series of attacks against you and those you know.

Due diligence should be done in an effort to protect against becoming a target such as using encryption on your data so that if it is accessed, it cannot be used. Password protection allows those who gain access to a device to be challenged that may dissuade them from attempting to steal your data; however, if your password protection is not strong, it can easily be hacked. When considering surveillance, never store data that can be used against you with protecting it. It is up to you to protect against a data breach to ensure that your data is safe and secure.

Make sure that you safeguard your belongings. Ensure that you use credit or debit cards safely. Protect your data at rest with encryption and protect access. Protect your data in motion with encryption.