Protecting Privacy

It Could Happen To You Protecting Privacy

Tim Hoffman, MS, CISSP, ISP, C|EH, GCIH, ITIL, CCSK, CTT+, Security+…

© Tim Hoffman & Associates, LLC 2020 Agenda o Community Changes Everything Overview – Qualifications o Privacy Right Laptop Lounge and Alida Connection o Top Threat of the Day: CYBER CRIME Privacy – What Is It ? o DARKNET FULLZ Google Search Right of Privacy – PERSONAL AUTONOMY o Staying Anonymous Good Old Days o Finding Information Our World Has Changed (I and II) Who Has Our Information: EVERYONE Social Media Addiction o

We Give Our Data Away For Free o Identity Theft (Financial)

Legal Residual Risks in Social Media o Identity Theft (Medical)

o Let’s Get Technical © Tim Hoffman & Associates, LLC 2020

Overview - Qualifications President/CEO – Alida Connection

Lead Information Security Engineer UCSF and for Center for Digital Health Innovation

EVP ISSA Colorado Springs - Fellow

Former US Navy Cryptologic Officer - part of the Intelligence Community Director of Threat at NSA spending time in Off-Line Crypto, Signals Intelligence/SIGSEC and Taught Electronic Warfare – Radio Fingerprinting – Mensuration Mensuration, a branch of mathematics that deals with measurement of various parameters of geometric figures

Co-Author of technical series Network+ Certification Guide, TCP/IP for Windows NT 4.0, TCP/IP for Windows 2000, Microsoft Proxy Server 2.0, UBS Warburg Rollout Policy

MS, CISSP, ISP, C|EH, GCIH, ITIL, CCSK, CTT+, Security+…

This presentation will not: Make you thinner. Put $12,000,000 in your bank account. Help you find the LOVE of your life.

If you are receiving many advertisements in email for Cialis and Viagra – this discussion may be for you.

Privacy (from Latin: privatus) is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. When something is private to a person, it usually means there is something to them inherently special or sensitive.

The domain of privacy partially overlaps security, including for instance the concepts of appropriate use, as well as protection of information. Privacy may also take the form of bodily integrity.

Privacy may be voluntarily sacrificed, normally in exchange for perceived benefits and very often with specific dangers and losses, although this is a very strategic view of human relationships. In the business world, a person may volunteer personal details (often for advertising purposes) in order to gamble on winning a prize. Personal information which is voluntarily shared but subsequently stolen or misused can lead to identity theft.

© Tim Hoffman & Associates, LLC 2020 Right of Privacy: PERSONAL AUTONOMY The right of privacy has evolved to protect the freedom of individuals to choose whether or not to perform certain acts or subject themselves to certain experiences.

This personal autonomy has grown into a 'liberty' protected by the Due Process Clause of the 14th Amendment.

This liberty is narrowly defined and generally only protects privacy of family, marriage, motherhood, procreation, and child rearing.

There have been attempts to further extend the right of privacy under other Amendments (1st, 4th, and 5th) to the U.S. Constitution; however, a general right to personal autonomy has yet to take hold beyond limited circumstances. Source: Cornell Law

In the 1940s we assumed everyone was honest – good citizens.

What are our assumptions today? © Tim Hoffman & Associates, LLC 2020 Good Old Days Those who cannot remember the past are condemned to repeat it. Analogy - SLOW - versus - FAST - and LOCAL versus GLOBAL.

Investigations - Information Collection - Step-by-Step Privacy by Design – everything was local – so choices were limited

Data was collected and used locally A background check for Government work was a lengthy process – one element at a time. Local Agency Check (Police Records) – National Agency Check (ENT – NAC or NAC) SBI – SSBI and beyond (nuclear programs etc.)

Name – Address – Phone – Family & Relatives – Mother’s Maiden Name - SSN – DOB – Past Addresses – Place of Employment – Real Property – Marriage – Divorce – Voter Registration – Civil Court and Public Filings – Permits – Licenses – Church Affiliations – Tax Filing – Donations – Credit Report – Credit Cards – Phone Bills –

© Tim Hoffman & Associates, LLC 2020 Our World Has Changed Computing Power (speed, hard drive storage and memory) Everyone has a cell phone / smart phone Everything is immediate and digital - Travel, Medical records, Credit Card Department of Homeland Security save 75 years of exit and entry to the US Google – stores 100 Years of every Newspaper in the US Every Twitter tweet turned over to the Library of Congress Optical Character Readers can scan thousands of sheets every day Google mapped every WI-FI node in North America Creation of new Search Models and new video to text - translators Precision Target Marketing – merchants want to sell stuff

There is no forgetting – everything you have ever done Every Rant – post – picture – ticket – newsgroup – telephone call and Every Bit and Byte of Activity

Everything is forever cached – indexed – and stored for posterity

No privacy any more – no shame –

LinedIn – Name Address Phone

Sexual Orientation

What you did last night – life casting – real reality

Where you are going on vacation (and your children)

Blippy.com – putting your entire set of purchases online

GPS is always on – Everyone wants to know everything about you

Augmented Reality (facial recognition – building - landmark recognition)

Picasa now has Built in Facial Recognition

Tag everything – right ?

© Tim Hoffman & Associates, LLC 2020 We Give Our Data Away For Free Before computers were used as primary tools - people used anonymity to protect their privacy. Are you anonymous today? No - today anonymity is close to non-existent for anyone alive. Cyber crime is increasing exponentially – Nation State Sponsored. Once you give your data to a company who does it belong to? What’s in your account? Facebook Google Drive Identify theft is rampant. Twitter AWS (Amazon) Ever tried to delete? Tumblr Azure (Microsoft) Foursquare Box Look at Wayback at Pinterest DROPBOX archive.org Shutterfly iCloud

Today – Everyone has a megaphone

The end of Forgetting is here – all communications are permanent and indelible

Data points exist on everything that is put online in any format

Social media means: Everyone talks Everyone listens Everyone remembers EVERYTHING !

The line between personal and professional – private and public is a BLUR !

Social media creates both internal and external legal risks that did not exist before.

Disclosure of RESTRICTED (Confidential/SECRET) information Trademark Infringement Copyright Infringement Defamation E-Discovery Endorsements Privacy and Publicity RIGHTS HR Issues

Privacy is one of the most widely sought of rights and among rights most valued The TO DO LIST: Consider what you reveal about personal details to strangers or just-met “friends” (think social engineering) Beware of web sites that offer rewards and prizes Be aware of home computer and device security Examine privacy policies Use encryption everywhere possible (look for the lock)

The NOT DO LIST: Do not reveal personal information inadvertently Do not reply to spammers - for any reason

In the evolution of CYBER CRIME - In days past –

Perhaps a teenager or a couple friends got together with some energy drinks or a Mountain Dew and set out to find a web server with vulnerabilities they could exploit for fun. Cyber Crime Today –

Lone criminal is still out there but the predominant form of threat is the organized group of cyber criminals who are intent on hacking for profit.

Many of the groups that do this are made up of highly skilled professionals who seek financial gains.

Credit cards are worth a dollar ($1) each

Medical Record with some history is worth up to $214 (Ponemon Institute)

Hello I'm hacker and seller and I offer stuff for serious carders. If you need CVV or ***** (track1/track2 original), or something else I will be glad to help you. Always in stock Us , EU , UK , CN database of *****, COB's, Full Info, CVV's... ***** - include original track1/track2, also have some ***** with card holder info (ZIP , SSN , MMN , CVV2) CVVs - include CC#, CVV2, EXP.DATE, full name, full address. My service is well-known, and verified at carding forums. I am a verified seller at these sites: Netcarding.ru OffCarding DarkNet CardingWorld I do shopping to any address in US and UK,I shop iphones,laptops,perfums and more,Laptop is 100$,Iphone is 100$,Normal phone is 80$...... Come for more deal Contact me if u want buy: sellcvv_good14 1 Visa card...... 3$ 1 master card...... 3$ 1 amex card...... 5$ 1 Dicover card...... 5$ 1 Company card...... 8$ 1 Uk Card Nornal CC...... 5$ 1 Uk Card With DOB ...... 20$ 1 Track 1& 2 CC...... 30$

Look up Black Market Reloaded – Google Search – find the guide for staying anonymous.

Oh Ngo! Consumer Credit Company Experian, Which Sells ID Theft Protection, Duped by Cybercriminal into Selling Credit Card and Other Data on Millions of Americans. Hieu Minh Ngo (We presume Ngo pronounces his name “No” – hence our headline) ran an underground service called Superget info. This registration- free site made it possible for cybercriminals to look up full Social Security numbers, birthdays, drivers’ license records and financial information on millions of Americans. Payment to the site was made via WebMoney and other virtual currencies. Brian Krebs in KrebsOnSecurity did a painstaking, lengthy investigation, which turned into a rather lengthy piece. Find his full piece at krebsonsecurity.com. Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others. …(The) abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.

Web search engines - the current listing:

Abbreviations for abbreviations ABC Search engine - every search starts with ABC About for guidance, not guesswork Academic Search. It's from Microsoft, so it's got to be great. Hasn't it? Acronym finder - for over 750,000 human edited definitions Addictomatic Great for quick results in a modular format. Alexa is good for finding information on the top 100k sites AllPlus - meta search and discovery engine Answers is the world's leading Q&A site AOL Search no, I didn't think it was still going, but it is Around People Finder. UK, US, Australia, Europe emphasized. Ask (Jeeves) still limping along, shadow of its former self Ask if you want the US/global version Azoos is the brightest yellow search engine out there Bananaslug Run a search and include a random word, to see what you get! BASE for academic search. 56 million+ documents

BBC Video Nation, with categories, features and local information Behold for flickr images Betterwhois gets you good accurate information on domains Bing. Microsoft's faint Google lookalike. Biographies.net is an excellent source to identify biographical information. Blekko is a good alternative to the big 3. Definately try it. Blindsearch to compare results of major engines Blinkx is a video search engine, with 35 million hours of it! Blippex is for private searching. They don't track you. Carrot2 is a clustering engine – to focus on a subject area you're not sure of ChaCha allows you get other people to help with your search Clipblast searches for videos for you. Not personally stunned by it. Cluuz A visual search engine Collarity for personalized searching across different types of data CompletePlant for 70k of searchable databases. Good for deep web Country search engines is my list of 4,000 engines for 200+ countries Creative Common search. Great for finding stuff you're allowed to use. CriticalPast for vintage stock footage and royalty free material. DailyEarth US newspaper emphasis.

© Tim Hoffman & Associates, LLC 2020 Who Has Our Information: EVERYONE Dailymotion for videos - emphasis on UK based content Daybees the worlds largest events search engine, so they say. Definitions is good for thousands of definitions Deepdyve for deep web searching Digital Librarian; a librarian's choice of the best of the web DMOZ for a hierarchical directory, old but still good Dogpile for multi-search of Google, Yahoo, Ask & Bing (GYAB) Draze to compare Google, Yahoo and Bing FindThatFile for documents, audio, video, zip, archives and so on. FinQoo is an underwhelming meta search engine Galaxy is a directory based search engine Gigablast is a good second string search engine. DuckDuckGo is a family safe engine Eatbydate tells you if food is safe to eat. Could save your life! Maybe. Ehow searches for crafty type material and 'how to' stuff. Entireweb is a free text search engine Exalead is an excellent alternative to Google Excite is there, but does anyone use it any more?

© Tim Hoffman & Associates, LLC 2020 Who Has Our Information: EVERYONE Info Service is quirky and very colorful. Odd directory though Internet Archive to see all those old pages! Intute for academic resources. First class service Irazoo search, win gift cards. I want to search, not win $5 Iseek is a clustering search engine; very good too Ixquick is an excellent meta search engine Izito Combines 'all' search engines. Err, no, it doesn't. Jurn is a curated academic search engine indexing 4.5k free ejournals in the arts Kedrix Why search when you can mearch? KidsClick is web search for children by librarians KidRex is another children's safe search engine Kngine styles itself as a Web 3 semantic web search engine Knowem? Search over 550 social networks for brand and user names Lanyrd Need to find a conference, event or speaker? This'll help out Librarians' Internet Index is a brilliant resource

© Tim Hoffman & Associates, LLC 2020 Who Has Our Information: EVERYONE LocateTV find shows, actors and movies Lyrics is a great search engine to find those song lyrics. V. Good. Lycos is still out there, but getting old and creaky Macroglossa Visual search engine Upload image, see what it finds Mahalo for social search, human created information resources Mamma is the mother of all meta search engines MetaCrawler is a meta search engine Millionshort all the results, except the top million or so. Interesting take on search. MrSapo Multi search engine, lots of options, very sparse SERP though. Monstercrawler for a GYAB search Motherpipe - no tracking, no cookies, just search Mundusearch for web, sounds, lyrics, music and video MyAllSearch You can choose from Google, Yahoo, Bing, Ask (Jeeves), Yandex, Lycos, Metacrawler, Entireweb and DuckDuckGo. Newseum 772 front pages from 80+ countries. Newslookup Latest news headlines, emphasis on US but also global content

© Tim Hoffman & Associates, LLC 2020 Who Has Our Information: EVERYONE Newsmap Great tool; news arranged by color and size. NewsNow Emphasis on the UK news. Numberfetch for landline and free phone numbers OAIster for academic material that's otherwise hard to find OmniMedicalSearch is a top notch medical search engine Oolone is a graphic search engine; quite pleasing to look at and use. Opening TV Themes. Yes, you will lose hours of your life happily humming Panabee for comparing results from different search engines Pepesearch for free text and directory search. Not impressed Phrases.net for common phrases, casual expressions and idioms Pipl People finder. Good as the rest, which means not any better. PolyMeta is an intelligent meta search and clustering engine PublicRadioFan for searching for radio stations. Qrobe for Google, Yahoo/Bing and Ask Questfinder is a selective web directory

© Tim Hoffman & Associates, LLC 2020 Who Has Our Information: EVERYONE Quixey Want apps? This has apps in abundance! Quotes.net for famous and not so famous quotations Quintura for visual search in a word/tag cloud for children. RealMoneyPoker offers an online Texas Hold'em legality search engine Redz for visual search - an arch of webpage thumbnails References is a good source of reference resources ReferrerCode - An Online Games Bonus Code Search Engine Re-QUEST is a directory based engine Rhymes.net finds words that rhyme, with translation / pronunciation as well. RocketNews Bit of a dud - very repetition, but global ScienceHack for science videos verified by 'a scientist' Scour to search socially, see community votes and comments Searchbug for people and company search in the US Search is a multi search engine. Not stunned by it Searchboth lets you compare results for 9 different engines Searchbots is a 'build your own' resource Searchdazzle puts 4 engines on one page. Searchhippo is another multi-search engine that doesn't excite me SearchLion covers Web, images, news, video, blogs, twitter. Blended approach. SearchMedia is a UK medical search engine for professional © Tim Hoffman & Associates, LLC 2020 Who Has Our Information: EVERYONE Searchthenet is a multi-search engine - 20 engines offered SearchtheWeb is a directory engine which fails to impress Sency for real time, what's happening this moment information Similar-site finds similar sites to that which you provide Similarsites finds similar sites to that which you provide Similicio.us finds similar sites to that which you provide Silobreaker is the #1 news site out there, bar none Siteslike is a find similar sites engine SlideFinder searches for PowerPoint presentations Slider is a full text search engine that searches DMOZ SmartLinks provides quick links in a directory structure SnapBird for Twitter searching Snappyfingers is a Q&A database, searching FAQs. Socialmention* A king of real time social media search and analysis Soovle for Google, Wikipedia, Answers, YouTube, Ask, Yahoo, Amazon Soundclips for uh.. clips of y'know, sounds and stuff. SoundJax for clips of sounds. Loads of sounds. Soungle for even more sounds. Spacetime 3D looks very similar to Redz; visual search engine Spezify for multi-search visual results © Tim Hoffman & Associates, LLC 2020 Who Has Our Information: EVERYONE Sputtr - lots of tiles for multi searching. Stilltasty is a food date/edibility search engine Surfcanyon is a general engine Sunsteam is a directory engine, now 10 years old Sweetsearch evaluated sources designed for students Symbols is about signs, flags, glyphs, excellent arrangement, top resource Synonyms net is the webs most comprehensive synonym resource TeacherTube for safe and education YouTube videos Technorati for blog search TellyAds has over 17K recent TV ads available to search. The Net 1 is a directory engine The Paperboy Front pages of newspapers. Great for news freaks. TopSite Find the best 10 top websites for almost any subject Topsy Want tweets? They have 425 billion of them. The place to go to search Twitter Trooker is a great video search engine resource Trovando - first class multi search engine, though some choices are very outdated now. True Knowledge allows you to ask questions on the web, just as if you were talking to another human being. Renamed as Evi Turboscout is an excellent multi search engine USZip provides excellent factual information on US zip code locations. Vimeo is another YouTube lookalike video search engine © Tim Hoffman & Associates, LLC 2020 Who Has Our Information: EVERYONE Wayback machine to go way back to 1996 for examples of archived pages. Invaluable WebCrawler is a meta engine for GYAB Web-Search is a multi search engine that offers 18 resources WebWorld for quality sites on the web, in a directory style Whostalkin Who is talking, not stalking. Though as its a social media engine, who knows? Wink People Finder. Emphasis on US, but over 400 million profiles Wolfram Alpha is a computational search engine; good but different! Worldcat find 2 billion items in libraries near you. (Near being a relative term) Worldnews News from around the world. Fancy that. WWW Virtual Library for directory listing of virtual libraries Yabigo searches Yahoo, Bing and Google Yahoo needs no introduction either.

Yandex is Russian based, but don't let that put you off, it's a good alternative to Google Yippy is 'family friendly' which means badly censored to the point of being actively unhelpful. Yometa takes the results from Google, Yahoo and Bing and displays them in a Venn diagram YouTube is for videos, but you knew that already Zakta is a personalized search engine resource Zanran helps you to find ‘semi-structured’ data on the web. Zapmeta searches all the major engines Zeekly for private searching. Nothing kept or stored, including IP addresses 10x10 100 words and pictures that define the time. Unique and interesting. 123 people is a UK people search engine 48ers Real time social search.

Value to the thief

Identity Theft typically causes us to think about people stealing our credit cards and bank accounts and then we are left with fallout in the form of making repairs for a year or two on Credit Reports.

This is called financial identity theft. We hear about data breaches like TJ Maxx (47.5 million credit cards) and Heartland Payment Systems (130 million credit cards) regularly now.

We have pretty much lost faith in the financial institutions that should protect our information and we are probably thinking about better ways to protect ourselves. When an identity thief gets access to your bank account, you will want to read up on the Electronic Funds Transfer Act (EFTA).

VISA – Master Card – Home Depot – UPS – Michael’s – Target – Sony - GoodWill

© Tim Hoffman & Associates, LLC 2020 Identify Theft (Medical) Medical Identity Theft is described by the World Health Organization as “the information crime that can kill you.” It’s not just the most dangerous form of identity theft, it’s also one of the hardest to fix. There are very specific areas you will want to look into when you are a victim of medical identity theft, and they are in general vastly different from dealing with any other type of identity theft. Medical Information Bureau (MIB) Group, Inc is a cooperative data exchange formed by the North American life insurance industry in 1909. (As a side-note, there is a lot of misinformation concerning the the Medical Information Bureau (MIB) when it comes to medical identity theft. Keep in mind that, despite the name of the organization, MIB Group has almost nothing to do with medical identity theft – although if you are a victim of insurance identity theft you may want to consider checking your free MIB report.)

As our networks increase in speed, complexity, and nuance: How do we include appropriate security measures?

Can you identify current Passive Attacks Network Wiretapping - Port scanner - Idle scan

Can you identify current Active Attacks Denial-of-service attack – Spoofing - Man in the middle - ARP poisoning - Smurf attack Buffer overflow - Heap overflow - Format string attack - SQL injection - cyber attack - Heartbleed (Open SSL)