A personal rant on Security and Privacy

You may have noticed an increasing trend of news articles about breaches of privacy, confidential data being leaked, and abuse of privacy regulations. We are used to big companies being hacked, leaking private data, and their ineptitude in handling these privacy incidents. You probably remember the Equifax data breach in 2017, or more recently, in Singapore, SingHealth (Singapore’s biggest network of healthcare facilities). The trend started with non-technology companies, but is spreading fast, and has begun to affect the FAANGs: Facebook (and its subsidiary Instagram), Google, Amazon. Apple is still holding for the moment. This list only covers the most hyped cases of the past few weeks.

We are the problem…

The main issue with privacy is rooted in our mindset: most people don’t have any understanding of the risks and implications of using connected tools and services. There are big powers at play, and the vast majority of users don’t even realize that they’re valuable targets. Whenever I talk on the importance of using strong passwords, different on each app and website, most people just roll their eyes.

Almost no one realizes that there has been a significant shift in the world of cyber-security. On one side you have what we see in the movies, where the smart hacker will bypass all defenses and firewalls of any government agency or military base, within seconds. And, on the other hand, you have the real world, where some lazy fraudsters will buy a script from a hacker and exploit tens of thousands of vulnerable devices around the world. Most people are only familiar with the first case and don’t realize that they are likely already victims of the second. Everyone is a target, as long as they have essential files, a computer (or any device with some computing power such as a router), a bank account, or a credit card.

When was the last time you updated your home router’s firmware? Do you know that search engines are continually indexing vulnerable devices? You could, for example, look for all Synology Disk Stations with a guest account enabled, all vulnerable MicroTik routers, all open or hackable webcams, just about anything. Do you think this is difficult to do in real life? In the video below, in less than a minute, I log into some random person’s Netgear router. From there I could very quickly jump into their home network, get their private files, intercept all the network traffic, install ransomware or crypto-mining software, even switch off their home’s Wi-Fi and lock them out of their own router. A small piece of advice: log into your router, switch off UPnP (Universal Plug and Play), change the password, and enable automatic firmware updates.

A quick snapshot of me getting into a router a million miles away
A quick snapshot of me getting into a router a million miles away

Just consider that a newly found zero-day vulnerability can be worth millions on the black market, while it is only worth a fraction of that if it’s responsibly disclosed. A weakness on a consumer router won’t be used to hack into a foreign government, but it will be used to exploit as many unaware people as possible.

…and also the solution

Our responsibility as technologists is to raise the level of awareness and start spreading safe privacy behaviors around us. If we do this in the workplace, our employees will then bring good habits home to their families and friends. At TSC, even though we are still considered a startup, we have mandatory periodic security training, monthly phishing tests, enforce the use of two-factor authentication, and provide all employees with a password manager not only for their work passwords but also for their private ones. We also offer a VPN for people who travel or like to work in public places. We have seen a massive transformation in the way our people behave in their everyday life, and at the same time, the attack surface of our company has shrunk considerably.

I, personally, have not used Google search in years, and find that DuckDuckGo provides excellent search results without harvesting my data. I also use content blockers on all my browsers and devices, do not allow my email clients to download images or other remote resources, and route all my web traffic through a VPN. While it might seem extreme to some, these are the steps I chose to take to protect my personal data.

In reality, we trade our privacy for convenience every time we do a Google search. I encourage everyone to take an honest look at their own privacy posture and make informed choices about how much personal data they are willing to share with the world.

I have originally posted this article on TSC’s website, but I thought it would be relevant for OSOMac’s readers as well.