I’ll be the first to admit I’ve enjoyed a lot of the memes that have flown around the Internet. I cannot help but appreciate grumpy cat, especially the one that read something like, “If you love kitties…” “No.” “Share this…” “No.”
I’m here to give you reason to properly fear certain kinds of memes and surveys and social media games, because they are major security risks to you and yours. Let me explain.
Danger Meme Part I – Phishing for Personal Information
I’m sure all of you have set security responses to various banks or other financial institutions. Maybe even your healthcare, or utilities company. What questions did they ask you to pick from, hmmm? Your mother’s first name? Your paternal grandfather’s name? Your first pet? Name your favorite sport?
This is me putting on my black hat, telling you why I love your little Internet memes and Facebook posts that reminisce on the memory of your darling grandpa, dad, pet: I’m on your friend’s list. Sure, your FB feed is fully locked down to Friends Only, and I respect that as a secure first step. (It is, right? RIGHT?) But then you re-accepted a friend request from your cousin, who you thought quit FB over the election. Or I simply got your sister’s login credentials via another hacking program or social media manipulation.
Now I have any personal info you have offered up on “About”, visible to Friends Only. (You can post your birthdate, your email, your phone number, names of family members in the About section – love how you’ve locked it to Friends Only.) I know you’re a die-hard 49ers fan, and love the Sharks. You’ve told me about Fluffy and Spot, your first pets. I have Google’d you enough to know all the little details you would normally keep as something to remember for weaker forms of two-factor authentication.
I own you. I own your medical records, your bank logins, and any other sources where your security questions are answered by these common-place things. So now I want to attack your system – be it home or work.
Danger Meme Part II – Take This Quiz and Share It
How well do you know yourself? Do you know what your spirit aura looks like, or what color your Lightsaber would be if you were a Jedi? Which Roman God/dess are you? Which famous WWII general is most like you? What mythological creature are you?
I could go on, but you all have the ability to Google these for yourself (see Google image search above for “personality quiz”.) From a psychoanalytical perspective, these quizzes are pure click bait for people with some measure of boredom and insecurity. There is not one of them that doesn’t contain ‘pets’ for your ego, telling you about how strong or sensitive, how creative or courageous you are. Their job is to make you feel better about yourself, and happy to have a fantastical moment in the middle of your hum-drum white-collar job day.
I answer Manticore every time someone I adore posts a link to a click-bait quiz meme on Facebook. (A Manticore is a Persian man-eating beast – you can look it up.) And then I remind them not to randomly click on every quiz that comes by.
Why am I so mean? What can happen by taking one of these online quizzes?
Just visiting the page can download malware onto your computer, including Trojans. (I’m looking at you, too, Mac users. This is not just a PC issue.) These days, malware isn’t just delivered via emails – it can trigger just from landing on an unsafe page. That’s why a lot of spear-phishing attacks contain options of items to download or URLs to visit.
I counted over 30 sites for the same lightsaber quiz, and a couple of YouTube videos. Before you clicked on that link in Facebook/Snapchat/Instagram, did you check the destination URL was free of malware, malvertizing, or has a bad reputation before you went? Did you even know it was a thing and easy to do? Bookmark one or more of these:
Maybe you’re fully patched, because you’re on a work computer. You think it must be IT’s fault if you get something, right? You’re basically protected? WRONG. There are new wrappers for old vulnerabilities, and staying ahead of them is an adventure for even the most professional IT Security vendors. And if you’re at home, then the onus of staying up to date for every part of your system is on you.
So be smart. Hack yourself first. For the individual, this means ensure you don’t hang your secret security question answers out there on social media; this means don’t go to random quiz sites that offer you nothing but ego pets, along with a bit of malware that may make your system part of a Botnet, or download Ransomware you’ll regret later.
I am watching you.
Originally published on the RSA Conference Blog.