The Dangerous Secrets Our Working-From-Home Photos Reveal
Cybercriminals can glean many clues from scrutinizing shots of home offices and webconferences. The Dangerous Secrets Our Working-From-Home Photos Reveal
As more people work from home during the Covid-19 pandemic, they are sharing photos of their online meetings and remote-working setups—and that’s putting their security at risk.
My research into oversharing online shows that people often don’t realize how much personal information they are revealing in photos—images of their houses and hobbies that provide clues about their usernames, passwords and other personal information. And hashtags like #WorkFromHome and #HomeOffice make it convenient for crooks to zero in on photos that contain those details.
While we have yet to see any documented crimes based on photos shared during the pandemic, it is clear the boom in sharing exposes people to all sorts of dangers. The crisis is the perfect background for malicious snooping—because people are stressed and anxious to make any kind of personal connection, even if it is just revealing some small part of their home life.
Let’s look at a few avenues of exposure that put people at risk.
Spotting Your Vital Stats
First, crooks can scour your photos to find personal information that you would never think of sharing, precisely because you know it can turn against you.
Consider a phishing email that claims to be from your bank. It says there is a problem with your account, and you need to log in immediately, using a provided link. To seem believable, the email would need to include your name, birth date and home address.
Now imagine that you had recently published two posts on social media. In one post, you shared a picture of your home-working setup, which displayed—in addition to your MacBook Pro and adorable cat—an Amazon package showing your name and address.
In another post, your colleagues shared a photo from a Zoom conference in which they surprised you with a birthday party. There’s a lovely cake pictured, and it also includes your age. Your friends included the hashtag #Birthday, which means a criminal could figure out your date of birth from looking at when the picture was posted.
Now go back to the phishing email. It has your name, address and birth date. And you click on it.
Criminals also can glean information about your passwords based on photos that are shared online—and are already tempting because of hashtags. It is well-known that passwords are often based on hobbies and names of loved ones and pets. Posting photos of your home office may suggest your interests and hobbies—for instance, Harry Potter books, fishing trophies or posters of your favorite sports team. Similarly, photos that name loved ones or pets can also provide hackers with hints to passwords.
My research shows that hackers may combine these hints with databases of common, or previously breached, passwords to boost their chances of success. For example, if you have Liverpool Football Club posters around your room, criminals might deduce you are a supporter and that your password may contain “liverpool.” By analyzing a list of breached passwords, easily found online, hackers can see that most people who use “liverpool” in their password add a significant numeral after it, such as liverpool11 or liverpool10, the numbers of two popular players.
But people don’t just expose their own secrets when they post home-office photos—they potentially expose their employers’ secrets, too.
My preliminary analysis of photos from the new wave of work-at-home postings has found that people unwittingly reveal images of sensitive internal corporate correspondence and webpages on their screens—a trove of information for criminals.
People can also inadvertently reveal more-complex information, with photos that show technical details about their machines, such as the serial number of a computer. With the right piece of information, a criminal might be able to email an employer’s IT help desk, pretend to be that employee and obtain information that will help them get access to the system or carry out other scams.
Likewise, hackers and corporate competitors might take advantage of photos that show the software companies use.
Awareness of the software means knowing what software platforms to target and what security exploits to prepare. In some cases, the organization is using an outdated version of software, such as Microsoft Windows or Office, that hasn’t been updated to guard against new vulnerabilities.
Crimes such as burglary and theft are also still a serious threat. As individuals post photos of new remote-working setups, they also are including a range of expensive devices, the layout of their homes, and the locations of the nearest windows and doors. In combination with some of the other information mentioned above, this provides burglars with exactly the insight they need to determine what homes to break into, where to find the expensive tech, and how to get in and out.
To keep safe during the pandemic, we need to protect ourselves both in person and online. Cybercriminals are on the lookout!
Researchers Say Ransomware Attacks On The Rise As More People Work From Home
Proofpoint research shows that phishing-based ransomware attacks are on the rise amid the COVID-19 pandemic.
A study published by cybersecurity firm, Proofpoint, shows an increase in email-based phishing attacks used to deliver ransomware over the last few months.
According to the report, first-stage deployments of ransomware are reportedly on the rise and have mostly been targeting the United States, France, Germany, Greece, and Italy.
The attacks appear to be capitalizing on the influx of people now working from home amid the COVID-19 pandemic. Research additionally indicates that the ransom demands are very low compared to the amounts usually seen in these attacks.
Lower Than Average Ransoms
A ransomware application called “Mr. Robot” has mostly targeted people and companies across the U.S. in the past. Findings suggest that this has changed in recent months, however, with home users becoming the main victims of the attack. To reflect the software’s new use case, ransom amounts have dropped as low as $100 in Bitcoin (BTC).
A ransomware known as Avaddon distributed over one million messages in a single week. It too is known to target U.S. companies and individuals.
“24/7 Support” Offered By Avaddon’s Hackers
The hackers behind Avaddon often demand $800 ransom payments in cryptocurrency such as Bitcoin. Interestingly, this particular team provides a “24/7 support” service to its victims which offers them advice on how to pay the ransom and how cryptocurrencies work.
In recent days, Cybersecurity firm Symantec blocked a ransomware attack directed at 30 U.S.-based firms and Fortune 500 companies.
How To Protect Your Privacy When Working From Home
There are ways to keep colleagues from intruding on your home life, and family members from intruding on your work life.
The cybersecurity world pays a lot of attention to protecting privacy. Privacy from hackers. Privacy from governments intruding on the lives of their citizens. Privacy from businesses that have an unprecedented volume of data that can be used to target or profile consumers.
But with so many people working from home, privacy has taken on an added dimension: the privacy of information from the ordinary, everyday intrusion by family or colleagues.
There is, for instance, the loss of privacy when your colleagues overhear you arguing with your children, or see what you read on the bookshelves behind you. Or the loss of privacy when your spouse can see what’s on your computer or how you handled your midafternoon Zoom call.
That’s exactly why so many of us need a work-from-home privacy strategy: a set of guidelines for what needs to stay private from whom, and a plan that makes it easy to stick to those guidelines.
What’s The Problem?
It may be obvious to say this, but it bears saying anyway: Your employer and your clients are counting on you to keep their information private. That may not be a big deal when you’re in an office and bring work home some nights or on weekends.
But it’s a much bigger issue when all your work and every conversation is available for anybody walking past you or your computer. Your spouse or your 10-year-old son may not feel quite as compelled to keep secrets as you do.
Just as important as your privacy obligations to your employer are your privacy obligations to the people you live with. No matter how many times my husband reassures me about his camera angles, I really hate getting dressed in the same room where he’s taking a Zoom call with six colleagues.
Even if they aren’t in the room during your calls, your family members or roommates may not want their bookshelves, art projects or photos visible to your colleagues or clients, so consider a family meeting where you collectively talk through what needs to stay off-screen, out of earshot or off the radar of your work contacts.
It’s no doubt tricky to keep your personal life out of sight when your company’s newfound remote work culture encourages people to share their goings-on.
But Remember: You can’t build successful relationships on a foundation of discomfort. Setting boundaries with colleagues as well as family members can help establish a comfortable line between work and home, allowing you to be much more effective on both fronts.
Privacy From Your Employer, Clients Or Colleagues
Once you are clear on what you want to keep private, there are a range of tools and tactics that can help you protect those boundaries. The easiest is to have a designated, enclosed space in your home that is decorated (or not decorated) specifically for video calls. If that isn’t an option, here are some alternatives:
Decor Covers: The background blur available in many videoconferencing programs is one option, but I found it leaves you looking like a disembodied head. That’s why I prefer to simply hide or disguise my background. A ceiling track with curtain clips allows you to quickly clip a piece of fabric to use as a curtain or enclose yourself in an instant booth.
A pop-up, folding background can hide mess or give you a green screen for a digital background. You can also take a more targeted approach to hiding certain more problematic aspects of your surroundings.
Since I often take video calls in our bedroom, where a nude portrait of my great-grandmother graces the wall, my teenager made a paper-doll dress that has transformed the portrait into something more work-friendly.
A Physical Webcam Cover: Yes, I can turn off my camera at the end of the call, but I live in fear of forgetting—and of the various types of spyware that surreptitiously take over webcams. So I like to keep an inexpensive webcam cover that sticks onto my computer screen, with a sliding door to open or shut the camera.
Digital Decluttering: Before sharing your screen, turn off notifications and hide all your other windows. If you’re a Mac user, the PliimPro utility will do both with a single click.
Selective Social Media: Social isolation has made social media more important as a way of staying connected to friends and colleagues—but that doesn’t mean you want everyone to know everything. I rely on Facebook’s “restricted” list: Anyone who goes on that list can see anything I post publicly, but not the posts that I share only with friends. By putting all my colleagues on my restricted list, I can be friendly without overdisclosing.
Privacy From Your Partner, Roommate Or Children
I am just as conscious of keeping things private from my partner and children—especially when I’m working on something that might interest a curious teen, or create any conflict of interest for my husband.
The Do-Not-Touch Shelf: Set up a shelf or cupboard that is off-limits to your spouse, roommate and/or children. Everything—work papers, charging cables, whatever—isn’t to be looked at or touched by anybody in the house. Period.
Shortcuts To Privacy
When you’re working from home, privacy from everyday intrusion by family and colleagues suddenly becomes incredibly important. Here are a few ways to protect the boundaries between work and home.
Separate Computers—Or, At Least, User Accounts: In an ideal world you will not have to share your phone, computer or any other device with family members. But if your work gadgets do double-duty as the family computer or gaming platform, you can still create some sense of privacy by creating a separate user account (or email and social-media accounts) for family use. That way the family can use the computer after hours without getting access to any of your work files.
Noise-Canceling Headphones: My noise-canceling Bluetooth headphones do an amazing job of creating a sense of privacy from the rest of the family. True, they can still hear my side of the conversation, but when I can’t hear them, I feel like I have some privacy for my work.
Walk And Talk: When I don’t want my family to hear my side of the call, either, I often leave the house with my phone and headset. A walk around the neighborhood—out of earshot of my neighbors as well as my family—allows me to speak freely and get some exercise, too.
Lock ’Em Up: Sometimes the best way to get privacy for yourself is by creating pleasant, private space for everyone else. Now that we’re all spending even more time at home together, I’ve invested time and money creating cozy spaces for each of my family members—closed-door rooms where they can retreat for schoolwork, Zoom calls or gaming sessions. When they’re all locked away in their rooms, I enjoy the quiet bliss of a living room I have all to myself.