Social media has transformed the way we connect and build digital communities today, but it doesn't come without any risk. In this episode, TJ Sayers returns to help us unpack the security and privacy concerns with using some of the most popular social media platforms out there.
Facebook, Twitter, TikTok, Instagram, even the chat section in YouTube and other video platforms are probably the first names that come to mind when you hear the term social media. And it's a good term, really, because social media really started as something, well, social.
People connecting online locally and around the world into new digital communities.
Now to be fair, we've done that for years with online forums and if you remember IRC chat, so the idea isn't exactly new, but the way that these social media companies have made it so easy to connect and to share over the last, I don't know, maybe about fifteen years or so, is really unprecedented in all of human history.
So clearly, there are benefits to people being able to connect with each other so easily and all over the world, but we need to consider the security at an individual level, some privacy concerns when it comes to social media. And especially when it comes to privacy, there are a lot of gray areas and even cultural beliefs that come into play. And there are also some hard truths about security and privacy that we should be aware of as individuals as government entities, as organizations, as companies, as we make our own decisions on how we consume and how we use various social media.
With me today is returning guest and cybersecurity expert, TJ Sayers, director of intelligence and incident response at the center for internet security, And we'll be discussing what the cybersecurity community has learned over the years about how social media is used, sometimes for business purposes, and sometimes for more nefarious purposes, to collect and analyze information about you, about me, and frankly about most of us online.
My name is Phil of Gervasse, and you're listening to telemetry now.
Hey, TJ. It's really great to have you back on the, the podcast today, I've been looking forward to this topic for a long time. I I'm a big social media user. I think you know that, our listeners certainly do that.
Know that, you know, using Twitter, LinkedIn, I've been toying with TikTok a little bit and things like that. So today, this this topic of of the security concerns around social media. Very intriguing to me. I'm sure to our our listeners as well.
But before we dive in, would you would you just us a little background about yourself, and what you do.
Sure.
Yeah. I would love to, and thanks for having me on really looking forward to the to the discussion.
My, my background is largely DOD initially, and then I got into this field, cyber security in particular through a graduate school internship. It was one of the requirements in the program, and that landed me at CIS for the better part of the last decade. My current role I'm the director of intelligence and incident response, particularly over the MS and EII sec. So to give the audience a little bit of clarity for those of you who are unfamiliar with what CIS is, what we do, what the multi state and elections infrastructure information sharing and analysis centers do.
CIS' vision basically is to to lead the global community to secure the right ever changing connected world. So essentially give confidence in the connected world. The mission is to make the connected world a safer place and particularly we do this by developing validating and promoting industry best practices, which uniquely is is guided largely in coordination with the global IT security community.
So a lot of feedback from the IT security community, we work with the global community to come up with these best practices and guidelines.
And they're all aimed at mitigating, pervasive cyber threats. So kinda how I fit into the picture is I work under the isac umbrella, so multi state and election infrastructure isac. And those two isacs are tasked basically with providing cybersecurity services and support for the nation's state, local, tribal, and territorial and election office entities.
So you can think of that as basically any taxpayer funded organization that falls below the federal level. On the federal level, we have a cooperative agreement with the cybersecurity and infrastructure security agency, and they oversee not just federal infrastructure, which is their primary domain. They also, in tandem with us, help secure the SLTT community. And then CIS, in particular, is that umbrella parent company where the I sex fall under.
Okay. And, and for our audiences sake by federal, you mean United States. Right?
That's correct.
Yep. Yeah. That sounds like a very broad scope, that CIS encompasses. Your purview really, really has a lot of tentacles into a lot of areas. And last time we spoke talked about network security. We talked about, the various threats that are top of mind for you out there in the world. I think we even discussed social engineering a little bit.
So let's let's focus then on specifically social media. What is the problem with social media? I I let let actually, let me start with this. What specific social media platforms are an issue for you.
Sure. Yeah. I'll preface this, I guess, with you know, a lot of good comes out of social media. As as you said earlier, a lot of people use social media, you yourself, and your company use social media.
We at CIS, you social media. Right? There's a a huge tangible value add with just connectedness, the ability to share the sense of community that it gives people apart from being physically located together. Right?
You can have now access to breaking news right at your fingertips that previously unavailable in in our history. You can brand build, you know, release new products and services out to the community without, you know, being confined to just a couple avenues of doing that. Right? So there's a there's a ton of benefits to social media, and I'm I'm not necessarily here to try to persuade people not to to leverage social media, just giving more of a secondary kind of perspective from a security side of you know, where the privacy implications may be and some things to take into consideration.
And then we'll talk about, the differences between social media generally, and then certain social media companies that may have larger motives beyond just revenue.
So I think some, like, there's a threefold thing I like to note, as a kind of guiding principle. Right?
One is technology sometimes knows you better than you know yourself. And this is shockingly true for social media.
The second is is if you're not paying for the product, you most likely are the product. Right? So and this is also true of social media, and you don't typically pay for social media. There may be some business applications or or specifics where you may, but by and large, you're not paying for that product. You typically are the product.
And then not all social media is created equal, kind of what I alluded to just a couple of minutes ago as, you know, certain platforms are out there. And, you know, their main aim is just marketing, you know, getting to know you as a user and being able to present certain advertisements maybe sell some of that information to other marketing companies so they can, you know, better cater their products and services to you see what you're interested in so they can write more articles that are catered to that viewing audience, things like that. Right? But there's other platforms, TikTok and in specific that have a little bit more of a strategic influence or geopolitical aim, which I'm sure we'll get into, in a little bit. But every individual and organization to do their own risk assessment. Right? They have to determine what social media exposure works or doesn't work for them, which platforms they wanna use and don't wanna use what types of content you wanna put up there.
And, you know, that is a that's truly an individual or an organization based decision every individual.
Sure. And, you you sort of didn't answer my question at first. You you went broad and said social media is okay. You know, if it's used properly, there's some privacy concerns, and that actually is one of my other questions I wanna ask you. There's a difference between privacy and security. Isn't there?
There certainly is. Yeah. So there's there's a couple differences here. So you in the security aspect, right?
There's the at the kind of notion of secrecy. Right? So there are certain things that you wanna be, you know, in the realm of secret. So that everything from classified information at a government level.
Right? That's secret stuff. That's not for public disclosure.
And then there's the private CIDR. Or it's not necessarily secret, but it's private. Right? A good example would be maybe a discussion you have with your family at the dinner table. Right? That's not necessarily secret, but it's certainly private. It's not necessarily something you wanna share with everybody.
Right? And then where does security fit in? Is that oftentimes security is trying to prevent operational impact. Right? But there's also a whole another realm of security where it's trying to prevent the unintentional or intentional exposure of people's private information. Right? So health information, you know, places you travel to connections that you have.
Anything that the, you know, an individual or an organization may consider like proprietary information or personal information or confidential information. Security also gets into that respect of trying to protect the disclosure of that information.
Right. Right. And and in and in this context, as far as social media is concerned, is the primary concern mostly than privacy, not necessarily secrecy. And I I guess I'm talking about the individual, not necessarily, like, the Department of Defense's Twitter account Right? Obviously, there's gonna be some secrecy involved there.
Yeah. I think the answer here is it depends.
And again, it it depends on the specific platform.
So certain platforms have, you know, one one purpose and that's getting users on that's trying to mobilize, you know, activity on the platform and The end result is some type of revenue for that company. Right? And then there's other platforms that may be revenue focused, but they also have ulterior motives.
So it's more of a privacy issue with most social media platforms and with one in particular, and maybe some others, it's somewhat of a security issue as well. And I would say it it largely comes back to What is the issue we're talking about? Right? Is it a, you know, strategic type of thing?
Is it you know, we don't want employees accidentally putting stuff online on our social media accounts that's not for public release yet. It also comes back to who's behind that platform. Right? Sometimes you you just purely have that revenue, motivation.
And other times, as I'm saying, particularly here with TikTok, you do have that geopolitical or more strategic influence aim. And that may be more of a security issue because they're not just you know, looking at you as a person and what you're consuming and what you're viewing, they're collecting and cataloging and trying to build a bigger picture for more strategic and geopolitical aims down the road. So that becomes now a a clear security issue, writ large for all users if that is taking place compared to just information gathered for the purposes of of revenue. Does that make sense?
Does that answer?
Yeah. That that that makes sense to me. And I think for, individual users, again, again, not companies and and governments and that sort of thing. Right? For individual people that are using these platforms, I think the whole private privacy concern is probably gonna exist on a spectrum.
In my experience working in tech for many years, and and for a short time, focused on network security, there were folks that were very, very, very tight with information. They didn't want anything. They did not u they don't they never used cameras on Zoom. Any kind of geolocation information. They don't want anything out there.
VPN, you know, or or whatever kind of a VPN browser all all the time. But then there were those that just didn't care. And they, you know, like, the whole joke, like, you don't need to tweet every thought while they tweeted every thought. There there are those folks at everything.
It's just a brain dump on face book constantly. And I and I feel like there's a spectrum there on the individual side with regard to privacy because I I never saw any of those individuals that were willing to share private information also share Social Security numbers and bank information and passport numbers. Right? The seek the secret stuff.
Right. Right. Right. Yeah. And I I think this gets into a whole another thing we probably should outline too. And then maybe I'll I'll jump into some more of the specifics on the differences behind, like, a Facebook and a TikTok. Mhmm.
Right?
But kind what kind of data is being collected and why? Yeah. Right? So it typically what's being collected, you know, across the social media spaces like device data. Right? So maybe device name, the make, the model, hardware specifications.
It could be the time zone you mentioned geolocation.
It may be even be other apps installed, oftentimes when you all some social media applications. It asks you if it can, you know, get access to your contact list, or it may ask you if you have other apps installed, or when you sign into that other app, it may ask if, you know, such and such application can access that. And really, it's more often than not just for usability and for user experience that that's happening, but that can also be for ulterior motives, right?
There's other things too like network data, IP address location beyond just your IP address as well. Sometimes the GPS is used as well to find the specific location, maybe of an image or a video that was taken, or when you use the application that's being captured.
Cellular or WiFi information. It may even be what cell carrier you use or your number.
Anything pretty much upfront that you put into the platform to sign up like your name, your email, your date of birth, things like that. That's all being captured typically with the particular social media vendor. But there's also a whole another realm that I don't think people typically think about, and there's a lot of talk about algorithms and catering content to certain users compared to other users. And there's a lot that goes into it, and all algorithms are not made the same.
Right? But by and large, how long you've spent on the site or application, how long you've scrolled, how fast you've scrolled where your finger or your mouse is placed on the screen, the time of day you're looking at the website or application what content you're looking at, what time of day. You're also, you know, potentially having things like what you viewed, how long you viewed, did you skip around the video? Did you watch the entire thing or only half of it?
Did you immediately back out of the video and go into another video or post? You know, how many times have you viewed that? Did you come back multiple times to look at it? Maybe that's more than just a precursory kind of skin type of thing.
Other stuff like how long have you paused? When you're scrolling through, did you pause longer on a certain article or video or image?
What time of day did you pause longer on that? Are there other areas where you visited more often than other aspects of the site. Any likes, comments, suggestions that you share the content, all that stuff is captured. Right?
And it's basically built in when you're using that website or application to try to feed you content that you're more apt to click on or view. Right? So, and that gets into another aspect too is once the algorithm gets an initial baseline of what you viewed, it will then begin actually displaying content to you, which could be as immediate after just one visit and one click on a particular thing on that site or application. Right?
And then it's gonna factor in when I when the algorithm does feed you this content, do you click on it? You know, do you scroll through it? How long did you view what was field it up to you based on your previous viewing history and interaction with the application. Right?
And this kind of creates a baseline of what you look at. When you look at it, you know, what interests you have and, you know, depending upon the company, you know, this could be used for marketing to you, or it could be used for trying to shift the narrative maybe on a really politically sensitive issue or for, you know, causing some type of disposition shift in a, in a population, or maybe they're just gonna shield certain content entirely, right? We've seen this, with TikTok in particular.
Where there's certain discussions happening, maybe around like the Uighur Muslims or, you know, it could be some type of Chinese protest and they will basically prohibit any content or criticism of those things or viewing of those things or criticism of the Chinese government from being viewed or posted on the platform.
But I and I'm I'm gonna play the devil's advocate here and, and ask this question. Other than that control of information, which obviously is either gonna be nefarious in its, in its goal or just isn't good for a citizen ring. I get it. I get that.
Other than that, who cares? Like, what what's the difference if if Facebook knows what I like if it makes my experience better? And I get it. They're trying to sell I mean, we kinda all already know this.
We're training the model every time we click on a thing. So who who cares?
Yeah. And again, that goes down to, you know, this goes down to that question of an individual or an organizational self assessment. Right? And I would say that that idea of who cares comes down to the individual or the organization.
What do you care about? What's exposed? Right? And I say that's probably a a good question to ask.
For most social media out there. But when it comes to foreign owned, particularly Chinese owned social media applications. There's a much larger discussion and factor at play.
Particularly, what I would say is the threat equation. Right? Threat is typically what's the capability, is their intent, and is their opportunity. Right? And that gives you your overall threat equation.
And with TikTok in particular, you have what's called the National Intelligence Law of the People's Republic of China. And essentially, this was passed in two thousand seventeen by the National People's Congress, and then it was uploaded, I believe, a year later in two thousand eighteen. But, essentially, There's a couple articles in that intelligence law that that is much, much different than, US policy.
And it's article seven Article seven essentially compels Chinese businesses, who are registered or operating in the PRC People's Republic of China. To hand over information to Chinese intelligence agencies. And not only that, but this is a this is a key component here. Especially given that the TikTok CEO just recently came and gave testimony, and was was denying some of the allegations is that it is also to conceal the fact that these organizations give to the Chinese intelligence agency.
So not only are you compelled, but you also have to try to conceal the fact that you're providing that information. And then you also have article ten which makes the law applicable not just within the borders of China, but also Chinese companies that are operating abroad. Right? So think tech companies, a lot of other Chinese companies, those organizations can also be compelled to hand over user data even if they're operating beyond Chinese borders.
Right? So there's huge implications for this because the the way the US operates is that There's intelligence law in place. There's there's executive orders. There's policy.
There's regulations. There's all of these really important, you know, red tape as it were to prevent the collection, against US persons and US organizations, and it's very detailed and geared towards protecting the privacy and sensitivity and security of US persons.
That's not reciprocated in China. Right? China basically has you know, carte blanche to gather whatever they want from these organizations, and they also have a completely different worldview than than the US does. Right?
They've been known to target political dissidents.
There's targeting of the the Uighur Muslim population, in China.
Doing really atrocious things. And, you know, they just don't have the same perspective on freedoms that the US would. So that's something we have to take into consideration.
When we're, when we're dealing with certain applications is, what may this information be used for down the road beyond just the road?
Okay. So let's say we have China or some country, any any country using social media as a method to collect information for nefarious activity in some kind of state sponsored security, you know, something really James Bond like. I I get that. But, like, isn't TikTok predominantly, like, fourteen year old girls, and, you know, maybe some other teenagers as well, boys as well. But my point is it, like, what would China want that data for? I don't get it. It's literally like geolocation of a fifteen year old girl in, you know, Central, New Jersey.
So there's two aspects here. First is they're not gonna be children forever.
Okay. Sure. That's true.
And the information the information collected on them may be of great strategic advantage to China in the future. Maybe these kids, and I hope they do move into stem fields, right, where they're, you know, working at you know, leading technology companies and and working on really high profile, you know, new projects and and and things like that. Right? Having access to information on that individual could be used for extortion. It could be used for manipulation.
So just purely on that level. Right? China's not a a tomorrow thinker. Right? They're thinking five, ten, plus years down the road when they're collecting this information.
It could also be used for any type of, you know, future military endeavors.
If they're they have information on particular individuals who are in sensitive government positions They may be able to extort those individuals or influence their thinking. Right? And then there the other aspect is is it's present day, what type of content is being fielded up to users. Right? And I I think it's good for the audience to recognize there's actually two different versions of TikTok.
The we have the US version and then you have, Duyon, I believe, is the pronunciation for Chinese user users. And there's been a lot of studies and reports done on the differences between those two applications. And you have the Chinese version of TikTok, which is fielding up stem related content. Right?
You know, you wanna be an astronaut, you wanna be an educator, you wanna be a scientist, things like that. Right? To Chinese kids. And then you have the US based version, which is predominantly pure entertainment or by the estimation of some actually destructive content.
That's fueling like suicidal ideations, self harm, eating disorders, you know, pushing them into wanting to be a a everyone wants to be an influencer and everybody wants to do something that's that's that's crazy and just gets views and click instead of trying to push them into stem fields. And that's definitely if that's happening, that's certainly within the modus operandi of of China, right, is they're trying to essentially usurp the US in particular on the economic and world stage as a leader in stem fields. Right? So it would make sense if that is happening that that's kinda falling in line with with Chinese strategic policy.
Yeah. And you said if a few times, do we know that that's happening? I mean, that they're doing that deliberately?
Based on the studies that have been done of the two applications, a couple of years ago, that was certainly happening. What we've seen recently is the scrutiny of TikTok, in particular, things seem to have slightly shifted. So Back when that application in particular was first analyzed, and people were looking at it, there was a lot of stuff that was getting collected on TikTok, or at least TikTok was collecting on users that if you were to go and analyze today may not be collecting the same information or fielding up the same content.
There's a immense scrutiny. I mean, there were congressional hearings, you know, the infosec community was interested in TikTok, and there was a lot of blowback of what was happening, just kind of poor security practices, and some of that stuff was corrected. And I think that's the big point here is that a simple application update could shift what's collected or what's not collected on platform. If it's already existing on your device, if it's already on there, China could change what they want to collect and compel to TikTok to share that information or to change their policy or what they're collecting. So I would say the TikTok of three to four years ago is probably different than the TikTok right now in June of twenty twenty three.
But that's certainly not how it was in the past. And some of the things that they were collecting were were, scary.
And the level to which they were obfuscating, what they were collecting, was also novel for the social media platform industry at large.
Now, we've been talking about TikTok, and and I get that. I understand why, but there are other very, very prominent social media platforms out there. With millions or even billions of users. I mean, Facebook is the first one that comes to mind, but then there's also, of course, Instagram and Snapchat, in the professional sphere, we have LinkedIn.
You can probably consider the chat function of YouTube as a type of social media. And then we have these new platforms coming online, like mastodon and Blue Sky. And, so so what are your thoughts on these other platforms other than TikTok?
Yeah. I mean, most social media is gonna collect very similar things.
And I think that's a big takeaway for the audience today is it's not necessarily always what the social media company is collecting.
It may be the intentions behind that company that are of concern, right, who you may come you feel comfortable sharing certain information with certain organizations, and you may not be care comfortable sharing that with other organizations. Right? And that's a a calculus that we have to factor in when we come down to larger big picture issues like this, right, where you have a particular nation you know, I'll allied with or adversarial towards another nation and, you know, citizens from, let's say, the US are using Chinese based application.
There's larger implications to that. Right? It's not just a, you know, platform that you hop on and have some fun with that information could and very well may be used in the future for malicious purposes. So it really comes back to who's behind the application, and I want that to be a big takeaway. When it comes down to the actual collections off of things.
Like from a technical perspective, you can you can track a lot of this stuff right, through some type of man in the middle applications, network sniffers. There's a couple of mobile applications that I've used in the past too that either create like a VPN tunnel or use the loopback address to filter traffic.
I've used lockdown blockade. There's a bunch of others out there, but it'll let you see all of the application traffic on your mobile device that's going outbound. So certain API calls, certain domain calls, things like that, and you can see what these applications are doing. So you can kind of, you know, view what's occurring. And a lot of the stuff that's collected is over API calls. It's device permissions, just simply over HTTPS or something like that. Right?
For TikTok in particular, they they do API calls, device permissions, HTTPS stuff. Right? And and they're collecting on a permissions basis right now, like, network state, Wi Fi state, if you're authenticated into the account or not, camera permissions, flashlight, internet access, other accounts that you have on TikTok, let's see. I'm just re reading through some of the things I put together here. So if audio recording is on If vibrate is used, how long the screen's been on, things like that, just just baseline kinda application privileges or permissions.
And then things that are sent over HDPS look could be like the operating system version, the resolution of your screen, the device brand and platform, CPU information, the language, could be, like, longitudinal or lat latitudinal information, so kind of location based stuff.
Yeah. So just things like that. And then you could have, like, yeah, a lot of different things that would be really of interest you know, kind of tying something to you. And some of the other things that have been been tracked by TikTok years ago, There was suspicions that they were capturing the IMEI and IMSI of mobile devices So IMEI is the international mobile equipment identifier.
Basically, that's like the fifteen digit unique identifier for each device. So it's tied to your phone.
So if you get a new phone, that number will change, and even more concerning is the IMSI one. Right? That's the international mobile. So subscriber identifier, and that's particularly tied to your SIM card.
So that typically follows you phone to phone. So even if you were using a particular application, it captured that IMSI and you went and got a new phone and popped your SIM card into that new phone. It's now gonna track you on that new device. So it's gonna know that even though you got a new device, you're same user, and it may start fielding you the same content or connecting, collecting information on what you're doing.
Beyond just the device that you were using.
But this is all collecting information about who you are for some sort of behavior analysis. So they're, again, they're training a model and adding all this to a very large data set. And also for behavior modification, like you said, so they're influencing a population. Maybe it's the American population of a certain age group, maybe a certain socioeconomic status, what whatever it happens to be. But is there anything going on that we would say is like a step further as far as, actually trying to exfiltrate data that would be deemed more than private, not necessarily secret because I'm not, like, you know, I'm not the federal government but something that I literally don't want to share, but they now have access to.
Well, I'll answer the I'm I'm not aware of a specific in like that. That's not to say that if there was a particular information that they were after, they wouldn't be able to get it. They absolutely would be able to get it. Right? Because that organization would be compelled by national law in China to collect and gather that information as obscurely as possible so that they can conceal the fact that they're doing it. Right? And I think that that concealing aspect is another thing I I wanted to highlight here is that there's a lot of social media out there and a lot of these social media companies collect the same information, and it's surely not all malicious.
But one unique thing with TikTok in particular was the level to which they went to obfuscate, what they were collecting and how they were collecting it. So a good example is not just using HTTPS, but they would have an proprietary, algorithm laid over top of that to re encrypt and send information off of the device. Right? API calls also had a very custom signature that they were using to send off information.
And the level above the station that went into, that platform in particular in what they were collecting was alarming to the security community, right? And and it's an enormous undertaking to try to figure out all of those different aspects. Right? You'd basically have to go in and reverse almost every single native library available, right, and manually inspect you know, obfuscated functions to figure out what's being done.
Right? So it's not just that they're collecting information. It's that there were extra measures and great lengths taken to prohibit identification of certain things being taken. And because you can update an application over time, it's very plausible that they may enable a certain function or update the application for particular user for a time to collect something and then turn that setting off or turn that off so that they're not collecting that anymore.
Right? This all goes back again. It's it's compelled by law. If China comes to, you know, ByteDance, the parent owner of TikTok and says, We want you to specifically monitor these particular people and we want you to collect as much information as possible.
Bite Dance is then gonna go to the TikTok CEO and probably the the company writ large, and and they're gonna say you need to collect this information, and then you're gonna have to conceal that you're doing something like that would not happen in the US with US companies. In fact, it's there's been instances in the past that are great use cases for this. Right? Apple's a great example.
There was an iPhone that was used by a, a shooter years ago.
That particular iPhone They wanted to backdoor. They wanted Apple to unlock it and decrypt it so that they could get access to that material. And Apple refused.
And it was one of those really hard decisions because, yes, we wanna know if there's other attacks going to happen, if there's gonna be more ramifications beyond just the singular event. But backdooring that device and allowing the decryption of that device now is potentially going to set precedent to violate the privacy of everybody else using that device, right, or using that particular application.
So US companies have the law on their sides to push back against certain requests, whereas Chinese companies don't have that wherewithal or law backing to kind of push back if Chinese intelligence agencies come and ask something similar.
Alright. So then what are some of the things that we can do to protect ourselves while we're using social media? I mean, I guess there's always the turn everything off method. Right?
And we just don't use social media. Don't install TikTok. Don't use Facebook. Don't have a a Twitter account.
But assuming that we're going to use social media, there has to be a way that we can use it safely. Maybe it's operating system choice or not using the app and then opting to use the browser instead or always using a VPN. I don't know. You tell me, what are the ways that we can be safe when using social media.
Yeah. There's a there's a there's a bunch of things that people can do.
Particularly, it comes down to kind of device choice in a in a lot of cases.
So using a, you know, web browser on your PC is much better than using your mobile device and actually installing the application on that device. Right? There's another level of privileges that's granted to that application once it has residents on your actual device compared to you just visiting it through a browser.
If I was gonna kind of give like a a flow as it were of kind of privacy if you were to use social media, like an extreme case, extreme privacy oriented case would be. Don't use it at all. Right? Don't use any social media, but that's probably not doable for most individuals or really any organization out there. Because you wanna get your message out and and broadcast the good things that you're doing.
Well, it's like the whole idea of saying that. I don't wanna get into a car accident so I'm not gonna drive again or I'll never get driven I'll ever be in a car again. I mean, that's just not realistic.
And so in the same way, I mean, we could say, oh, I I don't wanna have any, privacy concerns or security breaches on my on my personal information. So I'll never use social media again. Well, I mean, that's kinda the same thing. You know, social media is a tool.
It's a technology. It's amoral in that sense, in in the sense that it's just ones and zeros over a wire. And then the morality and the ethics come in with how that technology is used, either by individuals trying to exfiltrate data or, companies that are taking information, perhaps for just innocent, like, business purposes, but without people's permission, Right? And that and therein lies the problem.
And and you mentioned that there are some methods that we can do, like opting for, using a particular social media plat form via browser instead of installing the application.
But I do have to say that I've used some of the browser versions of some some social media platforms. I'm thinking of one in particular, and they are far less functional than using the application that you would install directly on, like, my MacBook or on my phone. So I have to assume then that that is it suggests to me at least that these companies, these social media companies are pushing people to use the app. Right?
Yeah. That's that's that's very common. Right? There's a not only because of the permissions or having the application on your device. You have you know, better opportunity to use certain functionality.
That's kind of standard, I think, for a lot of software, but it very well could be used to just push user to trying to use the application instead of visiting over the browser, but quickly to just finish the flow that I was gonna outline is write the extreme cases not using it at all. Next best would be not having the application installed, not using a mobile device at all, and using some type of virtual machine on a PC to go visit your show social media profiles where it's containerized and, you know, you're only posting and providing information that you can very tightly control.
The next best case is just using a browser on a PC, then I would say probably a browser on a mobile device and last resort actually in installing the application on a mobile device.
There's other things you can do too. So we talked about the different specific platforms are better than others. They're not all alike. So keep that into consideration.
VPNs are great. Right? They've become kinda commercialized and main stream. I don't really know anybody who's not aware of what a VPN is now, but VPNs are still very helpful.
And then also be careful of what you share. Right? Be careful of when you're enrolling on these platforms, what information you're providing to enroll, what information you're sharing, when you're on the platforms, always review the settings. I I get critiqued sometimes, amongst my family of being the settings guy, but whatever I install on my my PCs or whatever I install on my mobile devices, I always go through the settings.
And as soon as I see a privacy section or an area where I can kinda lock things down and and give myself from, you know, my family more privacy. I'll usually enable or disable those settings respectively. So just check out the settings. There's a lot of privacy functionality as specially built into, US based social media companies in recent years to try to safeguard your information, and then definitely separate personal from business use.
So a lot of people will kinda conflate social media accounts between personal use and business use that can get a little bit muddy just generally speaking between personal and business, but it also opens you up to additional, you know, scrutiny with people knowing here's the personal things you do, and then here's the business that you work for and what you do, and they can use that for additional social engineering and targeting of building a a kind of a a bigger picture of who you are and what you do.
So then what specific things should I be? This is for the person who has no boundaries. Right? They're out there. I know them. I know that some of them by name who don't care.
Speaking to them, what are the the few top things that you would recommend they consider locking down and not sharing. So, off the top of my head, I don't share pictures of my family on social media very leaf. I do. It's like a a long distance picture that's kind of funny of, like, my kid way out in a lake. I I don't like to share pictures of my family because I feel like that's I don't know who's out there looking at this stuff.
But what what else? What what should people be concerned about sharing?
I would be personally as well family information.
I think that that certainly opens you up to another level of social engineering, right? If someone wants to get access to you or manipulate you, they can then you know, conceivably go after your family. So anything personal oriented like, you know, family you know, immediate family, somewhat extended family, I would be very careful of posting that stuff online. I would be careful of posting, like, a lot of travel, especially if it's personal.
We've seen that before where someone posts, hey, I'm gonna be away for a week and then their house gets robbed or something like that. Right? Because, hey, you are gonna be away for a week and everybody knows you're not gonna be home now. But a lot of other things on a more of a a technical level is ensure, like, geotagging in your photos is turned off.
So a lot of times people will take a picture. They'll upload it to these platforms and all the metadata in that. Photo potentially identifies literally almost to the coordinate level of where you took that picture. When you took that picture, all of that stuff.
So be careful of that. I would also say generally speaking for most social media.
If you don't have to share it publicly, just share only your social media with, connections or contacts that you already have or friends you already have on social media That can get a little challenging with things like Twitter because it's purposefully built to to be out there.
But just then be careful what you post on there. Right?
I wouldn't post things, you know, that are more sensitive or private on a public platform like that that you, you know, would consider just doing over a direct message assume any direct messages sent over these platforms are no longer yours that if someone wants to access them, they probably can And then last lastly, I would say, for LinkedIn in particular, people put a lot of information, like, very granular stuff about their job and what they do and the fields they work in and what projects they were on. Some of that stuff can be proprietary or even classified information. So just be very careful of your career record on sites like LinkedIn because that one could give someone a competitive advantage because they know what particular technologies you're using.
It could give, like, a cyber actor some type of foothold to say, hey, you know, they're using this particular firewall appliance or this particular network intrusion, you know, app, you know, model, or they have this particular email filtering service, or you know, they're using this for their their, you know, host level protection. Right? And it just gives them more information so that they can kinda start building an attack modeler profile to to have success.
And then you have two, the the more strategic stuff we've been talking about where foreign organizations, foreign governments will take interest in certain fields, stem in particular, where they see you on LinkedIn being extremely successful. You maybe you have a bunch of different, you know, publications you've worked on and you're well known in the industry, and you would be a phenomenal target for solicitation Right? So they reach out to you, try to build connections, you know, start targeting you with certain things, and they're just trying to collect information based on that relationship that they could use for a competitive advantage.
So, ultimately, what we're doing is trying to use common sense with a technology.
Which we do across the board in our lives with other technologies. I use common sense when I use my stove.
But then being more cognizant of what I'm I'm putting out there.
So, you know, for example, you you mentioned the metadata that's embedded in pictures. That's just a simple thing. It's just a simple setting that I can change. I assume. I've never actually I've never actually done that. So that's something I'm gonna do right away when we're done recording.
And and then, you know, the understanding that that a lot of that information is being pulled in not necessarily to hack you and steal all your bank account information and therefore all your money, but to build a a profile of who you are, And, you know, for me, I I'm not obsessed with privacy necessarily, but that does concern me because I wanna know why. How am I being manipulated How is my information being used in ways that I don't approve of?
Yeah. Exactly. Yep. And I I think it's important. We do live in a quote unquote globalized world, and we are highly interconnected all across the the globe.
But there there are bigger things at play. Right? There's there's the commercial level and the economics of it all where a lot of international organizations work together. But there are nations at the military and strategic political levels that are adversarial to American way of life and to certain things that we're doing.
And they will leverage this information to their advantage in the future if we comes down to some type of future altercation. So you know, there's a lot of novel ways when you get to know somebody at a granular level like a social media company may be able to do where they can cater certain news to you or they could extort you in a particular way. Maybe you, you know, we're looking at stuff that you know, you would want to remain private. Right?
And then that organization could then come to you and extort you and say, hey, we're gonna expose what you were looking at, or we're gonna expose this relationship you have or, you know, we're going to release these direct messages that you thought were private and it's gonna destroy your career or your reputation or stuff like that. Right? People don't think about stuff like that when they're using these applications and a adversarial nation will be very interested in leveraging that type of stuff down the road if it comes down to it to try to gain again, an advantage, whether it's militarily economically or, or whatnot.
Yeah. Yeah. And ultimately, you know, you mentioned direct messages, but really anything that goes onto that platform is now their intellectual property. Is that right?
Yeah. That's right. Yeah. It's it's that's another great point that people don't think about is it's it's your information and it may be private to you. But once you put it online, it's it's no longer private information, and it very may very well be the the intellectual property of whatever application or company are using.
So, maybe maybe this is not answerable, but if I if I put, pictures of my kids on Facebook, does Facebook now have rights to those pictures?
They do. Yes. They have rights to the pictures that are posted on their platform Yep.
This actually makes me think of the fact that though I, me, personally, may be very good about my social media hygiene, if you will. Right? Making sure that I have the the settings, on my phone, properly adjusted so that way there is no metadata being revealed in the pictures that I post on Twitter. I don't post pictures of my kids on Facebook.
I'm careful about sharing location on LinkedIn. What whatever. All of those things. Right? Then I go to a birthday party with my family and friends.
And, you know, I have family and friends that take pictures of me and my family, and without me knowing it, post those pictures on their social media. And and nothing nefarious, nothing untoward going on. It's just, you know, friends and family posting fun and and happy pictures and happy messages.
But without my permission and maybe without my even knowing about it. So there is still that issue out there, even if you are really good about your own social media.
Yeah. That's that's tough. Right? You go to a you go to a wedding or a big family function and and, you know, people take pictures of just the family and then they post them online.
The one thing that I have always found, helpful at least personally is that, you know, they they are not gonna be able to tag me because I don't have a social media profile to tag in that image. So unless they explicitly you know, mention me or call me out or my family member by name, you know, it's gonna be harder to tie things back. But, you know, it gets down to some legally stuff when you get into, you know, if you post an image on Facebook, is it actually their image, or do they just own a particular aspect of it or just the image on Facebook. There's a lot of complexity there that I I can't speak to at a legal level.
But certainly when you post stuff online, it's now public kind of domain.
That's a just an accepted thing nowadays. And then with a particular platform, you know, they have some level of ownership over that information. So, I haven't come up with a good solution for people taking pictures, and posting them on without my consent, but, you know, it's just something that you wanna be careful of.
Yeah. Yeah. It's caused a little consternation. In my, extended family.
And, you know, the what what it comes down to is that folks will come back to me and say, who cares? Like, what's the difference I mean, you're online. I'm like, well, you know, there's certain things that I'm okay with putting online. It's my choice, but there's certain things that that aren't pay for me.
And and again, going back to what I said earlier, I know that there's a spectrum there that some people are okay with much more or much less, and some with none at all. You mentioned that you have no social media profile However, but there is there is a line for me. And, when it comes to my immediate family and and certain elements of my personal life, they they don't go out there. So, for example, I use Twitter almost entirely for tech stuff.
There's a very little bit that I put out there that's, personal, And and to be honest, that's more just to show that I'm a real person, and I don't just, like, retweet links to, like, some tech article. Right?
You know, I and I use I use LinkedIn for the same thing, zero personal stuff on LinkedIn.
You know, I've experimented with some other social media, but it's it's mostly, like you said, in a strategic way to to build a brand, to connect with other like minded engineers. Yes, there's a tech community out there. You know, I remember using, you know, chat in the in the late nineties when it was brand new and even before that. So so it's a it's a very helpful technology for folks that wanna get together and have these discussions and help each other get through a cut over that went sideways or something like that. Right?
So there's a lot of value there, but, but certainly, but certainly, it's very eye opening or it has been very eye opening in this last, this last hour discussing with you what's being collected, to what extent, how, from a technical perspective, a lot of it without our knowledge whatsoever, as soon as we hit accept, there it kinda opens the floodgates. Right?
Yeah. Yeah. Once once, you know, it's one thing to visit a social media website and not have an account. Right? Twitter is a great example. A lot of people can view Twitter feeds and stuff on Twitter and get news from Twitter without necessarily having to have an account.
And then surely we'd mentioned already not all social media is created equal. Right? So your potential exposure on Twitter is gonna be much different than all the information you may have on a Facebook account if it's still public and not private to just your contacts compared to using TikTok and, you know, the stuff that's collected there. Right? There's there's all these different risk and threat calculations for different platforms.
So you know, it's a hard hard decision to make for a lot of individuals and organizations on on what to use and what not to use.
But it's a important to kind of know going into it that there's a lot of information you may not realize as being collected and it may just purely be for revenue generation for that company, but there may also be ulterior motives down the road, and you don't wanna get up in something that you were unintentionally scooped into because you just didn't have the knowledge going into it.
Does CIS and and other like organizations, actively and proactively monitor social media for this kind of activity?
We don't proactively monitor social media specifically for what we're talking about here, but we certainly monitor from the ISAC perspective, you know, post made by threat actors or other, you know, malicious actors against election offices or against, you know, state local tribal territorial US governments anything that's gonna be, you know, affecting our membership base will monitor for that type of stuff, but this is more of a, you know, telemetry based kind of long term strategic type of thing of what some of these platforms collect and what they could be used for. That's a little bit outside of the domain of CIS, but We keep a close eye on stuff like this, particularly, couple years ago.
One of the teams I oversee, the cyber threat intelligence team took a particular interest to Talk, particularly because of the thing with the level of obfuscation, that was in place on that application and some of the things that they were known to have been collecting years ago. And we wrote a blog post just kind of bringing awareness to it. Around that same time, you know, DOD banned TikTok on their devices. You know, a lot of states are now banning TikTok it's banned off of certain federal devices and things like that just because of the risk of what it could be used for down the road or even presently to collect information.
And we currently have a blog post on our website, if people wanna go on CIsecurity dot org, They can go check it out. It's TikTok influence operations and data practices threaten US security.
Yeah. We'll definitely link to that in the show notes.
So so then who is doing the monitoring? And and, I mean, you mentioned some some studies earlier. Who who were doing these studies? Is it government and para government organizations or the At least the security arms of those organizations?
Surely US governments are interested in this stuff. I'm not gonna go through and name them, but most of the the really interesting public researchers that have been done is through, you know, independent security researchers and certain security based companies who have released the reports. You know, outlining, hey, we checked out this application. You know, here's what we observed. Here's the things that we saw it, you know, reaching out to and how it's doing it and, you know, just bringing awareness to the space.
Well, TJ, this has been a really great conversation so far, and we are approaching an hour or so. I'd like to wrap it up. Before we do, I, I'd like to say, my goodness is social media, a love hate relationship for me.
I mean, over the years, I have connected with so many great engineers. Many of whom I've come friends with and and and who have helped me as an engineer and and in my career. And and I hope I've also been able to help a little bit as well.
And and also just the the community that I've been able to be a part of, via various social media. I mean, that's how I've built my career over the better part of a decade now. But at the same time, yeah, yeah, especially in very recent days, growing concern over security issues and, and and probably more so privacy issues. And of course, not to mention some of the stuff that I see in my feed these days. So so for me personally, I still value social media very much, but I appreciate the eye opening conversation that, that we've we've had and the information that you've been able to share. So as we close out now, TJ, if folks have a question for you, or a comment, how can they reach out to you?
Yeah. I would direct them, to CIS particular in media, at cicsecurity dot org, and I'll pass that information over to you, Phil. And if they have any questions, they can route them through there and be happy to happy to answer them.
Great. And I won't ask you for any social media because I know you don't have any, but you can't find me online still. I am active on Twitter at network underscore fill. You can search my name in LinkedIn. And, and if you have an idea for a show, or you wanna be a guest, please reach out to us at telemetry now at kentick dot com. So until next time, thanks for listening. Bye bye.