The Blind Spot of Data Leakage – And What to Do About It

Originally published by CXO REvolutionaries.

Written by Ben Corll, CISO - Americas, Zscaler.

The premise of cybersecurity is defending against digital threats – malware, hackers, criminal organizations, and the rest. This makes plenty of intuitive sense. Attackers primarily come from the outside, right?

Lately, though, a different class of threats has made its rite of passage to the core of cybersecurity: inadvertent data leaks. Whether we’re talking about personal or organizational leaks, in person or in the cloud, it’s getting easier to lose control over sensitive or confidential data, often without realizing it.

Given the extraordinary range of security talent and tech available today, how does this happen? At a psychological level, I think it stems from a reflective blind spot: we rarely see ourselves as a potential security hole, but your unlocked laptop swiped from you as you pick up your latte at the local cafe can instantly change all of that.

Cybersecurity specialists detect, mitigate, and eliminate external threats to the organization. Typically, they spend fewer resources on the threat that organizations, and those who represent them, pose to themselves. And user awareness training can only go so far.

Essentially the same problem applies to individuals. People are generally more worried about protecting their money, lifestyle, reputation, and time than all the ways they can expose data (as social media companies can attest).

Entrenched habits can produce bad outcomes

Security blind spots can lead to severe problems for individuals and organizations.

For instance, I recall an FTC blog post that warned the public of the dangers of digitally-enabled cars – especially those we rent or borrow.

Convenience and routine lay a subtle trap. We indulge our habits when we’re in a friend’s car, a rental, a ride-share, etc. We automatically pair our smartphones to charge, stream music, make calls, and gladly have our next right turn announced aloud. Strange vehicle or not, we reflexively link up digitally to recreate a familiar convenience.

When the car’s ownership changes, our data goes with it – our music collection, contact list, stored texts, location information, and other data instances. This can happen if your phone is simply charging and not logically linked to the infotainment system.

When a car detects a new phone, it may automatically sync the mobile data with the vehicle system. Unless we deliberately delete the data from the car – something we probably do not think about or know how to do – we’ve lost control over what happens to our information.

Linking a personal phone to a strange car’s system is an unnecessary risk. So what’s the fix? Avoid the USB port to charge your phone and use a cigarette lighter, for instance. Just don’t forget the adapter.

Juice for data

Another potential variation on the data-leakage problem that garnered recent headlines is juice-jacking. This threat involves public phone-charging facilities, such as airport and hotel kiosks, that a malicious actor has compromised.

You get a power-up; you lose control over your data; it’s not a happy exchange. Additional threats apply if the phone comes away from the charging process with shiny new malware installed that gives the malicious actor remote access to and control over it.

Although the FCC is not aware of any juice-jacking attempts in the wild, the Denver FBI office recently renewed focus on this threat with a tweet. They advised:

Avoid using free charging stations in airports, hotels, or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.

Another solution is using USB cables with power wires but no data wires. While the prevalence of this threat is unclear, devices such as the OMG cable make juice-jacking attacks incredibly simple. Cables and portable chargers you own would be the safest choice.

Do you trust the bystanders in your digital ecosystem?

“Juice-jacking” is actually an instructive example of the problem of accidental leakage. It might be nonsense. Maybe it could happen. Maybe it has. But it’s not very probable. It all comes down to the level of risk a user is willing to accept, weighed against the potential damage of a compromise.

Consider the murky area of digital service intermediaries we use every day. Organizations and private individuals routinely dump information through translation software, transcription tools, and grammar assistants. Consumers of these services hand over enormous troves of data to these tools on the assumption it will not be stolen or abused.

Voice-to-text applications, digital assistants, and smart TVs are like spiral wishing wells into which we throw our data coins. It’s a question of risk versus reward. When faced with potentially transformative AI capabilities like ChatGPT, the temptation to drop in data is strong. Large language models are only the latest temptation toward overly permissive data sharing, but already we’re seeing organizations being required to make tough judgments between risk and reward.

Route traffic, not hackers to corporate credentials

Corporate data leakage is a more serious problem, given the number of people affected by the security lapse. This was recently demonstrated by a surprising discovery by security researcher Cameron Camp. According to a recent article, Cameron was setting up pen-testing equipment, including a second-hand router, when he made a startling discovery – the router contained legacy network data.

He then bought sixteen additional used routers to see if this was a recurring problem. He found that nine of sixteen functional used routers still contained business data. Among the instances of leaked data found on these routers, Cameron found:

• VPN credentials
• Hashed root admin passwords
• Data that identified the former corporate owner of the router
• Router-to-router authentication keys
• Network credentials for accessing external networks (partners, clients, etc.)
• Actual customer data

Change your cryptographic keys if your business has disposed of routers that contain company info. Just be aware that other information, like your organization’s applications, may still be leveraged in an attack.

Upgrade awareness, not just technologies

Modern technology has empowered us to do amazing things, and connected devices are ubiquitous in modern life. It is easy to forget how our daily interactions with it all can inadvertently spread or expose our data to risk. Perhaps one day, we’ll find a better way to consolidate and protect our information in a fast-paced world of connected but disposable devices and the continuous stream of ephemeral online services. Until then, we must remain mindful of where and how we use our technology and wipe data from every connected device we’re ready to say goodbye to.