There has been an uproar over disclosures regarding the rather ambitious program known as PRISM and the harvesting of metadata from mobile phone calls, both programs administered by the NSA which are designed to gain access to what we would like to think is private information.
While the widespread rage over the government engaging in the systematic collection and analysis of data about law abiding citizens is more than understandable, the fact is that people in this age of the Internet freely share huge amounts of personal information on a daily basis, and doing so puts them at risk.
We freely share details of our lives, our travels, information about our children, our extended family, about our business, our employers, our Web browsing and shopping habits, our medical condition – all data that falls under the definition of Personally Identifiable Information (PII).
This information, when aggregated in Big Data systems, can reveal very personal details about nearly every aspect of our lives. And it’s not just the government we should be worried about in the application of this information, it’s also big business marketing machines and even worse – attackers who seek to exploit these open sources of intelligence for their own gain.
The NIST’s Special Publication 800-122 defines PII as “any information about an individual… that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name…” but it encompasses far more.
“The definition of PII that most people understand is really far too narrow. PII is really any piece of information that can be used to confidently link data back to a human,” said Andrew Storms (@st0rmz), director of security operations for Tripwire.
His colleague Lamar Bailey (@btle310), director of security research and development, agrees. “PII is not just credit card, Social Security numbers, and bank accounts. It’s literally any information that can used to impersonate you or gain your trust online and offline.”
PII is routinely collected every single day of our digital lives – through tracking cookies when we visit websites, keywords in emails we send, through purchases made with credit or debit cards, when we scan parking or public transportation passes, and more – all of it together producing a portrait of our very selves.
“Here’s an example that involves department store and grocery store rewards cards,” Storms points out. “Last year, Target got in trouble for using consumer purchase data to identify a pregnant teen in before her parents knew.”
This type of data is quite valuable to the businesses we patronize, and it is also often sold to other commercial interests. While we might expect the businesses we frequent to use this data in an attempt to tailor our shopping experience, there are much more nefarious elements who find this data valuable as well, which is why it is so often the target of criminal cyber attacks.
Aside from the vast amounts of data stored by organizations that can be exfiltrated by hackers, there is even greater amounts of personal information readily available that we ourselves produce and distribute through social media platforms – information that can be used against us.
“Many people don’t think like attackers, and trustingly add their information to online sites like high school yearbooks, birthday reminders, and genealogy or family tree sites that are prevalent on social media,” said Tripwire’s CTO Dwayne Melancon (@ThatDwayne).
“For an attacker that is targeting you or attempting to steal your identity, these sources are a gold mine.”
And it’s not just personal details we are broadcasting through social media, we may also be providing clues to attackers that can be utilized in brute force and dictionary attacks designed to gain access to our accounts.
“Attackers can also mine a wide range of social sources to find out the answers to your ‘secret questions’ for identity validation – where you went to school, mother’s maiden name, previous addresses, and things like that,” Melancon pointed out.
Storms agrees, pointing out that “one of the most significant attacker innovations recently has been the ability to tie multiple smaller bits of information together as part of a cohesive attack strategy. Social media and networking sites are treasure troves of data that users unknowingly give away every day.”
It is not only our personal assets and accounts that are being targeted through data mining of social networks, it is also our businesses or our employers who may be the real target of such operations.
“Attackers are not just looking for PII, they also look for ways to get data from others that can be used against you,” Melancon said. “For example, people who want to gain information about company executives may mine Facebook looking for informative posts from the executives’ family and friends.”
So this is the age we live in. No, there is not a lot we can do about big business and big government utilizing Big Data stores – that issue lands squarely with our elected officials who need to enact strong data collection and use laws.
But, there are some precautions we can take in an effort to not over-share personal information. Just how much damage we have already done to our own privacy and security remains to be seen.
“The bottom line is that every piece of electronic data about you is being captured and analyzed,” Storms said. “With enough data and compute cycles, just about anyone can be identified and ‘hacked’ without the traditional PII data points.”
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock