What type of dog are you?

We have all seen these types of questions running around social media, what type of dog are you? Such an innocent question right? well no - they are used to gain private information on you. These are nothing new sadly and what's worse is people answer the questions.

Why is that worse?

What is the problem if I answer questions?

Do I really need to do anything?

Well largely it will be situational, but lets go through a quick primer and recommended steps if you have fallen into this trap.

What do they really give away?

So questions can seem benign but what is really at risk?

When answering these questions you are putting information about yourself out into the world where someone can make use of it. There are two main terms here, Open Source Intelligence (OSINT) and Human Intelligence (HUMINT).

OSINT:

https://en.wikipedia.org/wiki/Open-source_intelligence

OSINT is all about what is publicly available about you, yourself or your family (or companies, governments, organisations etc.) and this can be used to build a very detailed profile on you.

Think about the information you are answering to the questions below:

• If I could live anywhere it would be:

• We all miss a pet that passed over the rainbow bridge, comment their name to remember them:

• The best star sign is:

• Comment the best year to be born:

• The first street I lived in was:

• My first car was a:

• If I could only eat one thing forever it would be:

• I went to the best school and you cant convince me otherwise, I went to:

So these (or some which are similarly worded) actually can give an attacker a wealth of information. These are forever out there and can build up a picture of you which can include:

• Location information on where you want to be, and usually WHY as well.

  • Some people will just comment a place, others will say why which can be including hobbies, family members living in certain parts of the world, cultures you admire, food you enjoy and more.

• The name of your first pet

  • Commonly used in both passwords and account recovery questions, think about this - do you use this information anywhere for recovery or passwords?

• Star sign information, usually also followed up with either a reason why or if it is because this is yours.

  • This can be used to determine if you believe in such things, if it's because you think a partner from a certain star sign is attractive - this can be used against you.

• Best year to be born usually is the year people are born themselves - or people overshare and say why they regret being born in 'XX' year.

  • This is obviously a bad thing

• The first street you live in is similar to the pet discussion, consider whether you have used this anywhere.

• People's first car can usually be something they are excited about, this can then be used as part of their password or recovery questions. It can also open people up to being targeted by someone who calls because they know your car make and model and just need to 'book in' a repair or similar.

• If people are very happy to mention their favourite food, they are also more likely to use it in their password.

• People's school is also a very useful piece of information for both recovery questions and some social engineering.

So how are these things used against you?

Some of these pieces of information can be used in the HUMINT field so we will go through that shortly, however these pieces of information can be used for:

• Password cracking

  • Hackers will take key information like this and put them into a piece of software which will then create combinations of passwords to try against all your accounts.

  • These combinations are very similar to what humans create and therefore the toolkits used work very well.

• Account recovery attack

  • Hackers may be targeting individuals and so when seeing which recovery questions they are faced with, create these posts in order to get the target to answer.

  • After enough of these attempts they have enough information to get your account 'recovered' and they have full access to the account.

HUMINT

https://en.wikipedia.org/wiki/Human_intelligence_(intelligence_gathering)

Human Intelligence takes that information to the next level, you will get messages - calls or even a chance encounter with someone claiming to be someone you met with your dog or at school etc.. then they talk their way through your defences to get more information or access to places they wouldn't get into.

People will talk and ask open ended questions such as 'Are you still with..' and get you to supply the name of your partner (more information) and similar tactics to get information on family or friends and follow up with 'Oh they must be getting old now' which then gives them an age for the family or friend.

Oh you work there? what's it like? what's your manager like because mine is a ****' is also another tactic used. You may have been targeted because of where you work and someone is trying to get more information to intrude into your company either physically or digitally.

So as you can see these nuggets of information can be crafted to provide actionable intelligence for malicious actors to get into your life or gain access to places which are hard to get into.

What can I do?

So the first thing to say is - be careful! don't just join in online information sharing activity. Always think of how this could be used against you, not just now but in the future because once the information is out there - it's out there!

If you have already answered some of these, you need to ask yourself:

• Have I used this information in my passwords?

• Are any of these answers part of my recovery questions anywhere?

• Am I likely to use this in future?

If yes, you should make sure you change any that exist with that data ASAP.

You should also ensure you activate Multi Factor Authentication (MFA) is activated (and yes I know we beat that dead horse a lot - but seriously enable MFA!) as this will provide an increased layer of security.

Consider using a password manager, we partner with Keeper and I use them myself as it's very secure and adaptable. (If you are a company and want to implement Keeper - get in touch! we are partners with Keeper and can save you money on implementation and also ensure it is right for you first).

Always be mindful of people coming up and starting conversations, unless you actually know and remember them it is wise to be guarded and not volunteer information on you or your workplace. Never give out your work email address to people you don't know or take them on a tour of the workplace because they are interested.

If in doubt, run the situation past someone else in your life who may have an outside view and flag up if something seems off. We can always be too close to the situation to see the obvious at times! It even happens to professionals in Military, Police or Intelligence.

Summary:

So in summary, be careful, be safe and be suspicious (but don't overdo it ;) )