Ten years ago, when Jacob started his career in IT security, the field was mostly limited to passwords, updating server and firewall securitisation, he says. The specialist now works for SecurityMadeIn.LU (Smile), a para-governmental cybersecurity agency.
“In the last five years, the field of IT security has exploded. We are in a connected and interconnected society, and increasingly dependent on connected objects--cars, watches, TVs, homes, even dogs’ collars or children’s toys.”
All of this offers ample opportunity for cybercriminals to get to work. “There’s a lot of information out there and information is valuable.”
I like to think of myself as a cautious social media user. My Twitter account, which I use for work, is public. My LinkedIn page is semi-public. Other social media accounts are private. “But you use the same name,” says Jacob, allowing him to easily cross-reference public and private accounts.
It’s one of his tips for social media users. If you have professional accounts under your real name, use pseudonyms, initials or another disguise for your private accounts, with no public pictures linking the two.
“The more you complicate the access to information and the connections between information, the faster a cybercriminal will move on to someone else,” Jacob says.
Creating a victim's profile
While he cannot access my Facebook profile, he can see previous profile pictures, which are not hidden, as well as the list of people who have liked them. Generally, I don’t post pictures of myself, but the artworks and landscapes I choose are enough to help Jacob create a psychological profile.
Cybercriminals use such profiles to target their attacks, whether that be to pose as a love interest, a fake business contact or another context in which they later extort money, publicly discredit their victim or do other harm.
Even though I am meeting Jacob for the first time during our interview, he has compiled a portrait of me only with the information he found freely on the internet. “There’s nothing illegal about it; there’s no piracy,” he says.
And so begins a journey into my online persona, which Jacob says didn’t even involve a full-on deep dive. “You value Luxembourg and like it here. You are smart, sensitive, with an affinity for art. You have a tendency to be cautious, not to reveal too much about yourself. You don’t post a lot. You’re present but discreetly. You volunteer, you’re interested in people and in education. You’re serious about your work. Voilà. Did I hit the mark?”
There is more and Jacob proceeds to explain how a cybercriminal would exploit this information.
The method is called open-source intelligence (Osint), helping hackers home in on data that’s in the public domain. And Jacob recommends that people look up what they can find about themselves using Osint tools, freely available online. “Do it to protect yourself,” he says. All you need is an email address, phone number, username or photo as a starting point.
The experience is rather unsettling. On top of my name, face and interests, Jacob has also found voice and video recordings--all through work. “I could use this video to create a deepfake,” he says. “There are enough words.”
To simulate cyberattacks in work environments, Security Made in Luxembourg offers Room#42, a test environment in which participants are confronted with different threats, from data leaks to ransomware attacks, and must react in real time. They must negotiate with hackers, respond to journalists who have gotten wind of the story; more elements are added throughout the experience to make is as realistic as possible.
For personal use, Jacob himself has two computers, one which is connected to the internet and the other on which he stores personal and sensitive documents and data. “I pay a lot of attention to the configuration of the social networks I use, such as geolocalisation. I read the terms and conditions.”
All too often, users sign away their rights by agreeing to terms and conditions without previously reading them. The jargon-laden and seemingly endless lists are off-putting and not easy to digest, but there are bloggers or specialised media outlets, for example, that can give snapshots of the key elements. Knowing one’s rights is crucial to using them.
Dating apps are another risk factor, especially when used with a real name. They can give hackers a fairly good idea where somebody lives or works, because they indicate a location where the person currently is. Together with photos that can be cross-referenced with other pictures online, dating apps can be another way for cybercriminals to target a victim.
“Everything matters,” Jacob says, “Maybe not on its own, but in relation to other things.” Everyone, in principle, could be a target, however insignificant we might consider ourselves to be. Employees are always gateways to their companies, which might be the much bigger target for criminals.
Jacob’s advice: don’t talk to strangers, be vigilant of what you share, limit interactions between different profiles, use different passwords across platforms, use separate work and private devices, and when something sounds too good to be true, chances are that that is indeed the case. “You don’t have to be paranoid,” he says. “But you must beware.”