Social Media Self-Defence and Privacy Workshop Ed Yuwono - CryptoAustralia Who am I?
• Information Security strategist (by day) • Director of Strategy CryptoAustralia (by night) • Blue Team/Defensive background • Based in Europe • Perpetual Traveller
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 2 Disclaimer
• Please, please, please don't use material from this workshop to violate moral, ethical & legal norms • Views presented within are my own
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 3 Agenda/Objectives
• Social Media Privacy Basics • Threats to privacy • Defensive options in everyday life • Q & A
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 4 In case you missed it
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 5 What does Zuck have to say?
• Source (April 10th 2018): https://www.washingtonpost.com/news/the- switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate- hearing/
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 6 Basic privacy tenets
• Individual: your physical and non physical traits (eg: memories, emotions, secrets) • Privacy protects your traits • There is no 'undo‘, a disclosed secret is perpetually public • Privacy important enough for the EU to declare as a basic human right
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 7 Speaking of EU GDPR…
• Apr 19th • https://www.theguardian.com/technology/2018/apr/19/facebook- moves-15bn-users-out-of-reach-of-new-european-privacy-law
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 8 No ‘one size fits all’
• Some of you: • would like to remain private • maintain a reputation in the workplace • require a public presence • Strike a balance between personal life and your public image • Protect your • Assets • Reputation • Right for privacy
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 9 Defending against levels of ‘adversary’
BAD GOOD
• Curious minds • Bad software apps/Artificial Intelligence • Unethical/immoral practices • Declared Enemies • Illegal acts • Nation states
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 10 Your adversary's motives
• Progressing to an age where wealth is: • No longer physical • eg: cash vs card vs crypto currencies • Generated from information ‘on tap’ • eg: online ‘everything’: research, trading, betting,… • Your personal worth • Tangible: financial • Intangible: knowledge, status, reputation • What happens to you if your adversary steals, disputes, manipulates, block access to your information?
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 11 Adversarial Success
• Success=ability to execute to completion • Ability to execute=capability x resources x time • Attainable knowledge (capability) • Cheaper computing power & access to information (resources) • The side with the most motivation & time will win • However, if you can exhaust one or more of the three elements, life will be hard for your adversary
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 12 Knowledge is power
• You can deduce someone's: • Social status • Personal, Social, Public • Reputation • Social, Public • Net worth, purchasing potential, risk appetite • Personal, Public, Location • Movement • Personal, Location
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 13 The Age of Social Networks
• Provide opportunity for data enrichment • Open Source Intelligence (OSINT) is a discipline • Case study
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 14 Who is watching the watchers?
• Apr 19th • https://www.bloomberg.com/features/2018-palantir- peter-thiel/
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 15 I have nothing to hide
• Apr 19th • https://www.bloomberg.com/features/2018-palantir- peter-thiel/
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 16 Ground Rules
• Don’t feed the system (use archives/takeouts) • Look for • Personally Identifiable Information (PII) • Name, phone, address, work, gov ID, financials • Passwords/password reset messages! • Expletives • ‘Not Safe For Work’ (NSFW) • Anything personal/incriminating • Tested with a browser, might work with a mobile app • Small pauses
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 17 Countermeasures: Prevention
• Behaviour: If it’s something you can’t say on TV, don’t post it • Platform: Check and cover any holes you might expose
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 18 Triage
• ‘Stop the bleeding’ • Revisit what you have posted • Remember, not one size fits all • Find your balance • Search & destroy: selective delete • Nuke: wipe everything (sometimes easier to delete account)
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 19 Remediation
• Someone is using your information • Horse has bolted • Limit further damage • Legal • Procedural
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 20 LinkedIn: Prevention
• This is your professional persona • Assume your work colleague is looking • Manage your passwords!!! • Got an account before 2012? • Have I been pwned • https://haveibeenpwned.com/
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 21 LinkedIn: Prevention
• Import your contacts – think twice • Web/Mobile app • Are you using a personal/BYOD phone or personal email address? • Avoid importing your email/phone contacts • Spammy, sends out invites to everyone it discovers! • Working in a sensitive role? • Stay off LinkedIn/all social media • Use an alias • Your employer may have policy or guidelines
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 22 LinkedIn: Prevention
• Settings & Privacy-Account: • Removing email/phone numbers • Microsoft (Applications) • Permitted Services (Applications) • Settings & Privacy-Privacy: • Edit your public profile (Search engines) • Who can see your Email address • Who can see your Connections • Last name • Representing your organisation (company policy?)
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 23 LinkedIn: Prevention
• Settings-Privacy (continued): • Profile visibility off LinkedIn • Manage Active Status • Discover from email/phone number (FB did this!) • Sync contacts • Others: • Profile • Contact Info-Date of Birth-Visible to: Only you
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 24 LinkedIn: Triage
• Takeout • Interesting items • Ad Targeting • Connections • Comments • Imported Contacts • Logins • Messages • Receipts • Registration • Search Queries • Security Challenges • Job Applications
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 25 LinkedIn: Triage
• Social Profiling • Connections • Name, Email, Company, Position, Connected date • Imported Contacts • From your email or phone contacts! • Name, Company, Title, Email, Phone, Created, IM handle, Address • Messages • From, To, Date, Subject, Content
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 26 LinkedIn: Triage
• Public Profiling • References • Endorsements • Comments • Group comments • Group Posts • Likes • Shares • Articles
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 27 LinkedIn: Triage
• Personal Profiling • Profile • Ad Targeting • Ads Clicked • Job Applications • Messages • Search Queries • Applications
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 28 LinkedIn: Triage
• Location Profiling • Logins • Profile • Receipts • Registration • Security Challenges
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 29 LinkedIn: Triage
• Imported Contacts • My Network-’See All’-Manage synced and imported contacts-Imported • https://www.linkedin.com/mynetwork/contacts/imported • Select All-Delete (This does not delete your connections, only information stored on LinkedIn)
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 30 LinkedIn: Triage – Search & Destroy
• Posts/Comments/Likes • Me-Posts & Activity-Posts or All Activity • Messages • Search for person and delete thread • Deletes entire thread! • https://www.linkedin.com/help/linkedin/answer/4 20/deleting-a-conversation • Job Applications • Jobs-Applied Jobs-Delete Job
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 31 LinkedIn: Triage – Search & Destroy
• Search History • Click in Search bar • Wait • Click on ‘Clear’
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 32 LinkedIn: Triage - Nuke
• Close your Linkedin Account • Me-Settings & Privacy-Account-Account Management-Closing your LinkedIn Account • https://www.linkedin.com/psettings/acco unt-management/close-action-needed • You must downgrade to the Basic plan first • If you paid, you lose your credits
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 33 Facebook: Prevention
• Your personal persona • Exception: people in the personal/lifestyle industry • eg: fitness, home, health, etc • A higher level of engagement is required • Test: if you can’t say it at work: • Don’t post it or • Lock down your profile
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 34 Facebook: Prevention
• View As • Different view of your profile • Public • Friend (View as specific person) • Profile-…-View As… • Default: Public…could see a lot!
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 35 Facebook: Prevention
• Lock down your public profile • Settings-Privacy
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 36 Facebook: Prevention
• Location • VPN • TOR • Browser • https://www.torproject.org • FB • https://facebookcorewwwi.onion • Apps! • Security-Apps & Websites
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 37 Facebook: Triage
• Old Takeout
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 38 Facebook: Triage
• Takeout • Interesting items • Just about everything • Extract and open index.htm • Activity Log • Everything you did on Facebook! • Profile-View Activity Log or • Settings-Your Facebook Information-Access your information
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 39 Facebook: Triage
• Are you affected? • https://arstechnica.com/information- technology/2018/03/facebook-scraped-call-text- message-data-for-years-from-android-phones/
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 40 Facebook: Triage
• Social Profiling • Photos/Videos • People who like/comment • Friends • Date connected • Messages • Lots of info • Events • Events you attended
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 41 Facebook: Triage • Public Profiling • Public profile Information • Posts • Your places • Photos • Videos • Comments • Likes/Reactions • Posts & Comments • Groups • Events (Public)
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 42 Facebook: Triage
• Personal Profiling • Personal profile information • Profile • Your places • Timeline • Other Activity-Pokes • Posts • Friends • Photos • Ads • Videos • Search history • Comments • Location history • Likes/Reactions • Messages • Groups • Saved items • Events • Apps
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 43 Facebook: Triage
• Personal Profiling • Deep dive – Everything about you • Ads Interests • Advertisers who've uploaded a contact list with your information • Search History • Location History
• Calls and messages Have you been scraped?
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 44 Facebook: Triage
• Location Profiling • Profile (Address) • Photos (Phone/IP) • Videos (IP) • Events (Event Locations) • Your places (GPS) • Location history • Security and login information (Time/date, IP, Browser, Carrier, GPS Location)
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 45 Facebook: Triage – Search & Destroy
• Activity Log • Profile-View Activity Log-(Filters)More- Security and login information • Review and delete as appropriate • Use filters to help with deleting • You can’t: • Delete tracking information • Modify Ad information
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 46 Facebook: Triage – Search & Destroy
• Messages • Delete any sensitive information • Contact details • Financial • Medical • Legal • Use your archive to search!
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 47 Facebook: Triage – Search & Destroy
• Search History • Click in search bar-Edit-Select ‘Edit’ next to the search-Delete (select searches) or
• Clear searches (all searches)
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 48 Facebook: Triage - Nuke
• Deactivate • Temporary • Delete • Permanent • Settings-Your Facebook information-Delete your account and information
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 49 Google: Prevention
• Your private persona • Don’t mix work and play • Lock it down tight and don’t share • Is it necessary? • My account-Personal info & privacy • Date of birth • Gender
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 50 Google: Prevention
• My Account-Personal Info & Privacy-My Activity-Activity Controls • https://myaccount.google.com/activitycontrols • Web & App Activity • Location History • Device Information • Voice & Audio Activity • YouTube Search History • YouTube Watch History
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 51 Google: Prevention
• My Account-Personal Info & Privacy-Ad Settings • https://adssettings.google.com/
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 52 Google: Prevention
• Apps! • My Account-Sign-in & security • https://myaccount.google.com/security#connectedapps
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 53 Google: Triage https://myaccount.google.com/dashboard
• Google dashboard • Maps • Search • Android • Calendar • Chrome • Contacts • Drive • Play • YouTube • Plus
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 54 Google: Triage
• Takeout • Interesting items • Just about everything • Extract and open index.html • Mail • https://www.thunderbird.net • Activity Log • Everything you did on Google! • My account-Personal info & privacy-My Activity
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 55 Google: Triage • Social Profiling • Google + • Google Photos • Groups • YouTube
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 56 Google: Triage • Public Profiling • Google + • Google Photos • Groups • YouTube • Like/comment
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 57 Google: Triage
• Personal Profiling • Location History • Bookmarks (If synced • Mail with Chrome) • Maps • Calendar • My Activity • Contacts • My Maps • Drive • Tasks • Google Photos • YouTube • Groups • Search History • Hangouts • Apps • Keep
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 58 Google: Triage
• Personal Profiling • Deep dive • Ads • Ads Personalisation • https://adssettings.google.com/ • Emails • My Activity • Search History • Google Trips
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 59 Google: Triage
• Location Profiling • Google timeline • https://www.google.com/maps/timeline • Calendar (Addresses) • Contacts (Addresses) • Location History (GPS) • Maps (your places) (GPS) • My Maps (GPS)
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 60 Google: Triage – Search & Destroy
• Create offline backups using takeout • …then delete material • Search offline package • Gmail • older_than:1y or older:2017/01/24 • https://support.google.com/mail/answer/7190
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 61 Google: Triage – Search & Destroy
• All services • My Account-Personal Info & Privacy-My Activity-Delete activity by… • https://myactivity.google.com/myactivity
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 62 Google: Triage – Search & Destroy
• Google Timeline • Delete any sensitive locations • Go to the date then delete
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 63 Google: Triage - Nuke
• Delete Products • My Account-Account Preferences-Delete your account or services-Delete Products • Delete Google Account and data • Permanent
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 64 Twitter: Prevention
• Your public persona • Privacy and safety • Protect your Tweets • Emergency Lockdown • Tweet with a location-Untick • Discoverability • Let others find you by your email address-Untick • Let others find you by your phone number-Untick
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 65 Twitter: Prevention
• Privacy and safety, continued • Personalization and Data-Disable all • Twitter for teams • Only allow people you follow to add you to their team • Send/Receive read receipts- Untick
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 66 Twitter: Prevention
• Apps! • Settings-Apps • https://twitter.com/settings/applications
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 67 Twitter: Triage
• Takeout • Offline Search!!! • Extract and open index.html • Beware: not entirely offline! • Use CSV version • No messages
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 68 Twitter: Triage
• Social Profiling • Followers • Following • Likes
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 69 Twitter: Triage
• Public Profiling • Tweets • Retweets • Likes
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 70 Twitter: Triage
• Personal Profiling • Tweets • Location • Messages • Device • Ads • Advertiser list • Or DIY! • https://github.com/x0rz/tweets_analyzer
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 71 Twitter: Triage
• Location Profiling • Location • Device • PC, night, regular patterns-static location?
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 72 Twitter: Triage – Search & Destroy
• Create offline backups using takeout • Search using takeout search • …then delete material • If you can’t say it in public, delete it
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 73 Twitter: Triage - Nuke
• Deactivate • 30 Days before delete • https://twitter.com/settings/accounts/confirm_deactivation
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 74 Remediation
• Procedural • Report a privacy violation • Video/Photo • Cheaper option • Requires time! • https://www.linkedin.com/help/linkedin/answer/146 • https://www.facebook.com/help/1561472897490627/ • https://support.google.com/legal/troubleshooter/1114 905 • https://help.twitter.com/en/rules-and- policies/twitter-report-violation
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 75 Remediation
• Procedural • Report a fake profile • Could be used for ‘misrepresentation’ • Cheaper option • Requires time! • https://www.linkedin.com/help/linkedin/answer/61664/rep orting-fake-profiles • https://www.facebook.com/help/167722253287296 • (Google+) https://support.google.com/plus/troubleshooter/1715140 • https://help.twitter.com/forms/impersonation
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 76 Remediation
• Legal • Mileage may vary • Depends on legal jurisdictions • $$$ • Lengthy • Little protection against immoral/unethical acts
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 77 Q & A
• Questions • Email: • Ed.Yuwono.MSISM gmail.com
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 78 THANKYOU
Social Media Self-Defence and Privacy Workshop | OIC Qld PAW May 2018 | Ed Yuwono 79