8 strange ways employees can (accidently) expose data

Employees are often warned about the data exposure risks associated with the likes of phishing emails, credential theft, and using weak passwords.

However, they can risk leaking or exposing sensitive information about themselves, the work they do, or their organisation without even realising.

This risk frequently goes unexplored in cybersecurity awareness training, leaving employees oblivious to the risks they can pose to the security of data which, if exposed, could be exploited both directly and indirectly to target workers and businesses for malicious gain.

Here are eight unusual, unexpected, and relatively strange ways employees can accidentally expose data, along with advice for addressing and mitigating the risks associated with them.

1. Eyeglass reflections expose screen data on video conferencing calls

Video conferencing platforms such as Zoom and Microsoft Teams have become a staple of remote/hybrid working. However, new academic research has found that bespectacled video conferencing participants may be at risk of accidentally exposing information via the reflection of their eyeglasses.

In a paper titled Private Eye: On the Limits of Textual Screen Peeking via Eyeglass Reflections in Video Conferencing, a group of researchers at Cornell University revealed a method of reconstructing screen text exposed via participants’ eyeglasses and other reflective objects during video conferences.

Using mathematical modelling and human subject experiments, the research explored the extent to which webcams leak recognisable textual and graphical information gleaming from eyeglass.

“Our models and experimental results in a controlled lab setting show it is possible to reconstruct and recognise with over 75 per cent accuracy on-screen texts that have heights as small as 10 mm with a 720p webcam,” the researchers wrote. “We further applied this threat model to web textual contents with varying attacker capabilities to find thresholds at which text becomes recognisable.”

The 20-participant study found that present-day 720p webcams are sufficient for adversaries to reconstruct textual content on big-font websites, while the evolution toward 4K cameras will tip the threshold of text leakage to reconstruction of most header texts on popular websites.

Such capabilities in the hands of a malicious actor could potentially threaten the security of some confidential and sensitive data. The research proposed near-term mitigations including a software prototype that users can use to blur the eyeglass areas of their video streams.

“For possible long-term defences, we advocate an individual reflection testing procedure to assess threats under various settings and justify the importance of following the principle of least privilege for privacy-sensitive scenarios,” the researchers added.

2. LinkedIn career updates trigger “new hire SMS” phishing attacks

On professional networking site LinkedIn, it’s common for people to post upon starting a new role, updating their profile to reflect their latest career move, experience, and place of work.

However, this seemingly innocuous act can open new starters to so-called “new hire SMS” phishing attacks, whereby attackers scour LinkedIn for new job posts, look up a new hire’s phone number on a data brokerage site, and send SMS phishing messages pretending to be a senior executive from within the company, trying to trick them during the first weeks of their new job.

As detailed by social engineering expert and SocialProof Security CEO Rachel Tobac, these messages typically ask for gift cards or bogus money transfers, but they have been known to request login details or sensitive decks.

“I’ve seen an increase in the new hire SMS phish attack method recently,” she wrote on Twitter, adding that it has become so common that most organisations she works with have stopped announcing new hires on LinkedIn and recommend new starters to limit posts about their new roles.

These are good mitigative steps for reducing the risks of new hire SMS phishing scams, Tobac stated, and security teams should also educate new employees about these attacks, outlining what genuine communication from the firm will look like and what methods will be used.

She also recommended providing employees with DeleteMe to remove their contact details from data brokerage sites.

3. Social media, messaging app pictures reveal sensitive background info

Users may not associate posting pictures on their personal social media and messaging apps as posing a risk to sensitive corporate information, but as Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry, tells CSO, accidental data disclosure via social apps such as Instagram, Facebook, and WhatsApp is a very real threat.

“People like taking photos but sometimes they forget about their surroundings," Bestuzhev said.

"So, it’s common to find sensitive documents on the table, diagrams on the wall, passwords on sticky notes, authentication keys and unlocked screens with applications open on the desktop. All that information is confidential and could be put to use for nefarious activities.”

It’s easy for employees to forget that, on an unlocked screen, it’s simple to spot which browser they use, what antivirus products they are connected to, and so on, Bestuzhev adds. “This is all valuable information for attackers and can so easily be exposed in photos on Instagram, Facebook, and WhatsApp status updates.”

Keiron Holyome, VP UKI, Eastern Europe, Middle East, and Africa at BlackBerry, emphasises the importance of security education and awareness about this issue.

“Companies can’t stop employees taking and sharing photos, but they can highlight the risks and cause employees to stop and think about what they are posting,” he said.

4. Data ingestion script mistypes result in incorrect database use

Speaking to CSO, Tom Van de Wiele, principal threats and technology researcher at WithSecure, says his team has treated some unusual cases whereby a simple mistype of an IP address or URL for a data ingestion script has led to the wrong database being used.

“This then results in a mixed database that needs to be sanitised or rolled back before the back-up process kicks in or else the organisation might have a PII [personally identifiable information] incident that violates GDPR,” he adds. “Companies deal with data mixing incidents on a regular basis and sometimes the operations are irreversible if a succession of failures occurs too far back in the past.”

Van de Wiele therefore advises security teams to leverage the authentication aspect of TLS where possible.

“This will lower the risk of mistaken identity of servers and databases but understand that the risk cannot be fully eliminated – so act and prepare accordingly by making sure you have logs in place that are acted upon as part of a larger detection and monitoring strategy. That includes successful as well as unsuccessful events,” he adds.

Van de Wiele also advocates enforcing strict rules, processes, awareness, and security controls on how and when to use production/pre-production/staging/testing environments.

“This will result in less data mixing incidents, less impact when dealing with real product data and ensures that any kind of update or change as a result of the discovery of a security issue can be tested thoroughly in pre-production environments.”

Naming servers so that they can be distinguished from each other versus going over-board with abbreviations is another useful tip, as is performing security testing in production, he says. “Invest in detection and monitoring as one of the compensating controls for this and test to make sure detection works within expectations.”

5. Certificate transparency logs expose rafts of sensitive data

Certificate transparency (CT) logs allow users to navigate the web with a higher degree of trust and allow administrators and security professionals to detect certificate anomalies and verify trust chains quickly.

However, because of the nature of these logs, all the details in a certificate are public and stored forever, says Art Sturdevant, vice president of technical operations at Censys.

“A quick audit of Censys’ certificates data shows usernames, emails, IP addresses, internal projects, business relationships, pre-release products, organisational structures, and more," Sturdevant added.

"This information can be used by attackers to footprint the company, compile a list of valid username or email addresses, target phishing emails and, in some cases, target development systems, which may have fewer security controls, for takeover and lateral movement.”

Since the data in a CT log is forever, it’s best to train developers, IT admins, etc. to use a generic email account to register certificates, Sturdevant adds. “Administrators should also train users on what goes into a CT log so they can help avoid accidental information disclosure.”

6. “Innocent” USB hardware become a backdoor for attackers

Employees may be inclined to purchase and use their own hardware such as USB fans or lamps with their corporate laptops, but CyberArk malware research team leader Amir Landau warns that these seemingly innocent gadgets can be used as backdoors to a user’s device and the wider business network. Such hardware attacks typically have three main attack vectors, he says:

• “Malicious-by-design hardware, where devices come with pre-installed malware on them, with one example known as BadUSB. BadUSBs can be purchased very easily on AliExpress, or people can make their own with open sources, such as USB Rubber Ducky, from any USB device.”
• Next are worm infections – also called replication through removable media – where USB devices are infected by worms, such as USBferry and Raspberry Robin.
• Third are compromised hardware supply chains. “As part of a supply chain attack, bad software or chips are installed inside legitimate hardware, like in the case of the malicious microchips inserted into motherboards which ended up in servers used by Amazon and Apple in 2018.”

Detecting these kinds of attacks at the endpoint is difficult, but antivirus and endpoint detection and response can, in some cases, protect against threats by monitoring the execution flow of extended devices and validating code integrity policies, Landau says.

“Privileged access management (PAM) solutions are also important due to their ability to block the USB ports to unprivileged users and prevent unauthorised code.”

7. Discarded office printers offer up Wi-Fi passwords

When an old office printer stops working or is replaced by a newer model, employees could be forgiven for simply discarding it for recycling. If this is done without first wiping data such as Wi-Fi passwords, it can open an organisation up to data exposure risks.

Van de Wiele has seen this firsthand. “Criminals extracted the passwords and used them to log onto the network of the organisation in order to steal PII,” he says.

He advises encrypting data at rest and in use/transit and ensuring an authentication process exists to protect the decryption key for end-point devices in general. “Make sure removable media are under control, that data is always encrypted, and that recovery is possible through a formal process with the necessary controls in place.”

8. Emails sent to personal accounts leak corporate, customer information

Avishai Avivi, CISO at SafeBreach, recounts an incident where a non-malicious email sent by an employee for the purpose of training almost led to the exposure of data including customers’ Social Security numbers.

“As part of the training of new associates, the training team took a real spreadsheet that contained customers’ SSNs, and simply hid the columns containing all the SSNs," he tells CSO.

"They then provided this modified spreadsheet to the trainees. The employee was looking to continue training at home, and simply emailed the spreadsheet to his personal email account."

Thankfully, the firm had a reactive data leak protection (DLP) control monitoring all employee emails, which detected the existence of multiple SSNs in the attachment, blocked the email, and alerted the SOC. However, it serves as a reminder that sensitive information can be exposed by even the most genuine, benevolent of actions.

“Rather than relying on reactive controls, we should have had better data classification preventative controls that would have indicated the movement of real SSN data from the production environment into a file in the training department, a control which would have stopped the employee from even attempting to email the attachment out to a personal email account,” Avivi says.