I know what you did last summer….
No, I am not thinking about the classic horror movie, I am just looking at your Digital Footprint…
What is a Digital Footprint?
No matter whether you are a seasoned internet user who remembers the good old days of Ask Jeeves, mIRC, and Netscape Navigator, or you are just dipping your toes into the vast ocean that is the contemporary World Wide Web, you may not realise but just as walking on wet sand in Southern France or a muddy field in England on a wet autumn’s day, you leave a footprint behind you – a digital footprint, that is.
If you are wondering what on earth a ‘digital footprint’ is, fear not. Let’s consult a dictionary for starters. The Oxford English Dictionary, which says that it is “a trace or the traces of a person’s online activity which can be recovered by electronic means; the information about a person that exists on the internet as a result of his or her online activity”.1
But what does that actually mean and what can you do about it?
Our latest blog written by Toro's Senior Investigator explains what your digital footprint is and how it may be used against you.
The Surface Web
Have you ever tried Googling your own name to see what comes up?
If so, you have been conducting the most basic review of your digital footprint yourself. Depending on how common or uncommon your name is, your results will vary. But the underlying idea is the same – you may find multiple references of yourself in company press releases, media reporting, blogs, or you may find your name in some obscure document that you filled in 12 years ago and forgot about, or you may find very little information, if any at all.
The bottom line is – what you find will give you some indication as to how much can be discovered about you from the surface web alone.
However, this is not the complete picture.
Social Media
Firstly, let’s start with social media.
How much of a digital footprint are you leaving on your social media accounts?
Looking at social media platforms, such as Facebook and Instagram, if your account is not set to be ‘visible by your followers and friends only’ and you publish information about your personal life, then until the moment you change the privacy settings and if that content has not been copied by someone, it will effectively be public information.
This can range from basic background information, such as your hometown, your school, may include specific names of your family members, along with identifiers of who is your parent, your aunt, uncle, cousin, grandfather, etc. However, it may also disclose information, such as birthdays, maybe an address in a photograph you published, your holiday trip to Italy last summer, or your high school images from 2007 that you forgot to make private.
There is also the risk that if you post about your travels live as it happens, you are also potentially letting the world know where you are not – at home, giving burglars a great motive!2
Tip – Go to your Facebook account, click the three dots and go to ‘View as’ – this will show you what content on your Facebook is Public.
LinkedIn is not commonly seen as a security risk, after all, it’s a platform for networking so lots of people want to keep their profile open, but the information publicly available can be used against you. How sure are you that the recruiter connected to you is a real person? Who could be using your profile nefariously for criminal gain?
Personal Websites
If you are a professional who runs their own website, there is a chance that you or your hosting provider has not been updating the website and server-side software, leaving you potentially vulnerable to threats.
Unpatched WordPress sites, plugins, web servers, or even misconfiguration may also lead to unwanted information disclosure, including files you may not have wanted to be made public.
Failing that, any information that you publish on that website can also be used to collect information about you and any other persons mentioned on the website.
Breached Data
Arguably the more complex data to search for is to find out what information is available about you on the deep and dark web. Typically, this data becomes available if there is a data breach affecting a platform or website you are using, have used previously or your personal data has been captured on; an example being your name, contact and credit card details being captured when booking a hotel.
Given the large volume of historic data breaches, it is likely that some of your personal data, such as an old password linked to an old email address, is on the web somewhere. If that password is no longer in active use, then at least you do not have to worry about that password leaking. However, your old email address remains disclosed, so a threat actor can attempt to access any accounts that are still tied to that address, in the hopes that you may have used an old password on it.
Certain data breaches may be holding other types of personally identifiable information, such as mobile phone numbers, physical addresses, your old job titles, old professional and personal email addresses (which can then be used to find any additional leaked passwords), or even passport numbers and credit card information.
Another type of breached data that poses a risk and could be published on the web is suffering a data disclosure due to being infected by infostealer malware, which is malicious software designed to collect and exfiltrate sensitive information from your machine, such as credentials, system information, personal, business information, even whole files from your machine. Such an infection occurs if a user suffers from social engineering, phishing, or is tricked by the malware pretending to be useful software and deploying the malware on their machine.
The Big “So What?” Question
A threat actor can use information gathered online from one source to look for information elsewhere or supplement existing searches with new information.
Say they found your phone number on LinkedIn – a threat actor can check where that phone number is used and collect any other discoverable information that they can try and use for social engineering, or they can simply attempt to call that number and gather additional information directly from you, or pose as you.
A disclosed personal email address on Facebook can become an opportunity to conduct a targeted phishing attack against you, using, say, your registration on the Nike Run Club as a pretext to send you a message. The email message contains a malicious package for you to install, which is an infostealer malware. You download the file and run it. The new “Nike app” seemingly did nothing, but in the background, it just grabbed your passwords stored in a password manager, grabbed your session cookies, and a few files from the documents folder.
The publicly disclosed birthday of your child you posted years ago? You used it as a password on your home Wi-Fi network. Whilst collecting information, the infostealer also took a screenshot of your computer’s desktop, which disclosed the exact name of your home Wi-Fi connection. You disclosed your home address in a picture posted to Facebook containing an envelope that had a readable address on it. Do you see where I am going here?
Information that by itself is deemed not very sensitive can be combined to build a more comprehensive profile on you that can then pose a more active risk and be used to compromise you, your system, your financial information, your company data, even your family and friends. Once you begin a footprint on the web the web itself becomes much bigger and interconnected. This is perhaps more demonstrable through social media where we can have hundreds if not thousands of connections all leading back to us and probably feeding the web with our identifiable images and information without our awareness.
If you want to find out what your Digital Footprint reveals about you, please get in touch with info@torosolutions.co.uk.
1) https://www.oed.com/search/dictionary/?scope=Entries&q=digital+footprint&tl=true
2) https://www.telegraph.co.uk/travel/advice/social-media-post-invalidate-insurance-burglary/