Phillip Gervasi: Facebook, Twitter, TikTok, Instagram, even the chat section in YouTube and other video platforms are probably the first names that come to mind when you hear the term social media. And it's a good term really because social media really started as something, well, social. People connecting online, locally and around the world into new digital communities. Now, to be fair, we've done that for years with online forums and if you remember IRC Chat, so the idea isn't exactly new, but the way that these social media companies have made it so easy to connect and to share over the last, I don't know, maybe about 15 years or so, is really unprecedented in all of human history. So clearly there are benefits to people being able to connect with each other so easily and all over the world, but we need to consider the security and at an individual level, some privacy concerns when it comes to social media. And especially when it comes to privacy, there are a lot of gray areas and even cultural beliefs that come into play. And there are also some hard truths about security and privacy that we should be aware of as individuals, as government entities, as organizations, as companies, as we make our own decisions on how we consume and how we use various social media. With me today is returning guest and cybersecurity expert, TJ Sayers, Director of Intelligence and Incident Response at the Center for Internet Security. And we'll be discussing what the cybersecurity community has learned over the years about how social media is used sometimes for business purposes and sometimes for more nefarious purposes to collect and analyze information about you, about me, and frankly about most of us online. My name is Phillip Gervasi and you're listening to Telemetry Now. Hey, TJ, it's really great to have you back on the podcast today. I've been looking forward to this topic for a long time. I'm a big social media user. I think you know that, our listeners certainly know that. Using Twitter, LinkedIn, I've been toying with TikTok a little bit and things like that. So today, this topic of the security concerns around social media, very intriguing to me and I'm sure to our listeners as well. But before we dive in, would you just give us a little background about yourself and what you do?
TJ Sayers: Sure, yeah, would love to. And thanks Phil for having me on. Really looking forward to the discussion. My background is largely DOD initially, and then I got into this field, cybersecurity in particular through a graduate school internship. It was one of the requirements in the program and that landed me at CIS for the better part of the last decade. My current role, I'm the Director of Intelligence and Incident Response, particularly over the MS and EI- ISAC. So to give the audience a little bit of clarity, for those of you who are unfamiliar with what CIS is, what we do, what the Multi- State and Elections Infrastructure Information Sharing and Analysis Center do. CIS's vision basically is to lead the global community to secure the right ever- changing connected world. So essentially give confidence in the connected world, the mission is to make the connected world a safer place, and particularly we do this by developing, validating and promoting industry best practices, which uniquely is guided largely in coordination with the global IT security community. So a lot of feedback from the IT security community. We work with the global community to come up with these best practices and guidelines, and they're all aimed at mitigating pervasive cyber threats. So kind of how I fit into the picture is I work under the ISAC umbrella, so Multi- State and Election Infrastructure ISAC. And those two ISACs are tasked basically with providing cybersecurity services and support for the nation's state, local, tribal and territorial and election office entities. So you can think of that as basically any taxpayer funded organization that falls below the federal level. On the federal level, we have a cooperative agreement with the cybersecurity and infrastructure security agency, and they oversee not just federal infrastructure, which is their primary domain, they also in tandem with us help secure the SLTT community. And then CIS in particular is that umbrella parent company where the ISACs fall under.
Phillip Gervasi: Okay. And for our audience's sake, by federal you mean United States.
TJ Sayers: That's correct, yeah.
Phillip Gervasi: Yeah, that sounds like a very broad scope that CIS encompasses. Your purview, really has a lot of tentacles into a lot of areas. And last time we spoke, we talked about network security, we talked about the various threats that are top of mind for you out there in the world. I think we even discussed social engineering a little bit. So let's focus then on specifically social media. What is the problem with social media? Actually, let me start with this, what specific social media platforms are an issue for you?
TJ Sayers: Sure, yeah, I'll preface this, I guess with a lot of good comes out of social media. As you said earlier, a lot of people use social media. You yourself and your company, you social media, we at CIS use social media, right? There's a huge tangible value add with just connectedness, the ability to share, the sense of community that it gives people apart from being physically located together, you can have now accessed and breaking news at your fingertips that was previously unavailable in our history. You can brand build, release new products and services out to the community without being confined to just a couple avenues of doing that. So there's a ton of benefits to social media, and I'm not necessarily here to try to persuade people not to leverage social media, just giving more of a secondary kind of perspective from a security side of where the privacy implications may be and some things to take into consideration. And then we'll talk about the differences between social media generally and then certain social media companies that may have larger motives beyond just revenue. So, there's a threefold thing I like to note as a kind of guiding principle. One is technology sometimes knows you better than you know yourself, and this is shockingly true for social media. The second is if you're not paying for the product, you most likely are the product. And this is also true of social media and you don't typically pay for social media. There may be some business applications or specifics where you may, but by and large you're not paying for that product. You typically are the product. And then not all social media is created equal. Kind of what I alluded to just a couple of minutes ago is certain platforms are out there and their main aim is just marketing, getting to know you as a user and being able to present certain advertisements, maybe sell some of that information to other marketing companies so they can better cater their products and services to you, see what you're interested in so they can write more articles that are catered to that viewing audience, things like that. But there's other platforms, TikTok in specific that have a little bit more of a strategic influence or geopolitical aim, which I'm sure we'll get into in a little bit. But every individual and organization has to do their own risk assessment. They have to determine what social media exposure works or doesn't work for them, which platforms they want to use and don't want to use, what types of content you want to put up there. And that's truly an individual or an organization based decision for every individual.
Phillip Gervasi: Sure, sure. And you sort of didn't answer my question at first. You went broad and said social media is okay if it's used properly, there's some privacy concerns. And that actually is one of my other questions I wanted to ask you. There's a difference between privacy and security. Isn't there?
TJ Sayers: There certainly is. Yeah. So there's a couple differences here. So in the security aspect, there's the kind of notion of secrecy. So there's certain things that you want to be in the realm of secret. So that's everything from classified information at a government level, that's secret stuff that's not for public disclosure. And then there's the private side where it's not necessarily secret, but it's private. A good example would be maybe a discussion you have with your family at the dinner table. That's not necessarily secret, but it's certainly private. It's not necessarily something you want to share with everybody. And then where does security fit in is that oftentimes security is trying to prevent operational impact, but there's also a whole nother realm of security where it's trying to prevent the unintentional or intentional exposure of people's private information. So health information, places you travel to, connections that you have, anything that an individual or an organization may consider proprietary information or personal information or confidential information. Security also gets into that respect of trying to protect the disclosure of that information.
Phillip Gervasi: Right. And in this context, as far as social media is concerned, is the primary concern mostly then privacy, not necessarily secrecy, and I guess I'm talking about the individual, not necessarily the Department of Defense's Twitter account. Obviously there's going to be some secrecy involved there.
TJ Sayers: Yeah, I think the answer here is it depends, and again, it depends on the specific platform. So certain platforms have one purpose and that's getting users on that's trying to mobilize activity on the platform and the end result is some type of revenue for that company. And then there's other platforms that may be revenue focused, but they also have ulterior motives. So it's more of a privacy issue with most social media platforms and with one in particular and maybe some others. It's somewhat of a security issue as well. And I would say it largely comes back to what is the issue we're talking about? Is it a strategic type of thing? Is it we don't want employees accidentally putting stuff online on our social media accounts that's not for public release yet? It also comes back to who's behind that platform. Sometimes you just purely have that revenue motivation. And other times as I'm saying particularly here with TikTok, you do have that geopolitical or more strategic influence aim, and that may be more of a security issue because they're not just looking at you as a person and what you're consuming and what you're viewing. They're collecting and cataloging and trying to build a bigger picture for more strategic and geopolitical aims down the road. So that becomes now a clear security issue at large for all users if that is taking place compared to just information gathered for the purposes of revenue. Does that make sense? Does that answer the question?
Phillip Gervasi: Yeah, that makes sense to me. And I think for individual users, again, not companies and governments and that sort of thing. For individual people that are using these platforms, I think the whole privacy concern is probably going to exist on a spectrum. In my experience working in tech for many years and for a short time specifically focused on network security, there were folks that were very, very, very tight with information. They didn't want anything, they never used cameras on Zoom, any kind of geolocation information. They don't want anything out there, VPN or whatever kind of a VPN browser, all the time. But then there were those that just didn't care. And you know, like the whole joke, you don't need to tweet every thought. Well, they tweeted every thought. They are those folks at everything, it's just a brain dump on Facebook constantly. And I feel like there's a spectrum there on the individual side with regard to privacy, because I never saw any of those individuals that were willing to share private information, also share social security numbers and bank information and passport numbers, the secret stuff.
TJ Sayers: Right, right. Yeah, and I think this gets into a whole nother thing we probably should outline too. And then maybe I'll jump into some more of the specifics on the differences behind, like a Facebook and a TikTok. But what kind of data is being collected and why. So typically what's being collected across the social media space is device data. So maybe device name, the make, the model, hardware specifications. It could be the time zone, you mentioned geolocation, it may even be other apps installed. Oftentimes when you install some social media applications, it asks you if it can get access to your contact list or it may ask you if you have other apps installed or when you sign into that other app, it may ask if such and such application can access that. And really it's more often than not just for usability and for user experience that that's happening, but that can also be for ulterior motives. There's other things too, like network data, IP address, location beyond just your IP address as well. Sometimes the GPS is used as well to find the specific location maybe of an image or a video that was taken or when you use the application that's being captured, cellular or wifi information. It may even be what cell carrier you use or your number, anything pretty much upfront that you put into the platform to sign up, like your name, your email, your date of birth, things like that. That's all being captured typically with the particular social media vendor. But there's also a whole nother realm that I don't think people typically think about. And there's a lot of talk about algorithms and catering content to certain users compared to other users. And there's a lot that goes into it and all algorithms are not made the same, but by and large, how long you've spent on the site or application, how long you've scrolled, how fast you've scrolled, where your finger or your mouse is placed on the screen, the time of day you're looking at the website or application, what content you're looking at what time of day. You're also potentially having things like what you viewed, how long you viewed, did you skip around the video, did you watch the entire thing or only half of it, did you immediately back out of the video and go into another video or post? How many times have you viewed that? Did you come back multiple times to look at it? Maybe that's more than just a precursory kind of skim type of thing. Other stuff, like how long have you paused? When you're scrolling through, did you pause longer on a certain article or video or image? What time of day did you pause longer on that? Are there other areas where you visited more often than other aspects of the site? Any likes, comments, suggestions? Did you share the content? All that stuff is captured, right? And it's basically built in when you're using that website or application to try to feed you content that you're more apt to click on or view. And that gets into another aspect too is once the algorithm gets an initial baseline of what you viewed, it will then begin actually displaying content to you, which could be as immediate after just one visit and one click on a particular thing on that site or application. And then it's going to factor in when the algorithm does feed you this content, do you click on it? Do you scroll through it? How long did you view what was fielded up to you based on your previous viewing history and interaction with the application? And this kind of creates a baseline of what you look at, when you look at it, what interests you have. And depending upon the company, this could be used for marketing to you or it could be used for trying to shift the narrative maybe on a really politically sensitive issue or for causing some type of disposition shift in a population, or maybe they're just going to shield certain content entirely. We've seen this with TikTok in particular where there's certain discussions happening maybe around the Uyghur Muslims or it could be some type of Chinese protest, and they will basically prohibit any content or criticism of those things or viewing of those things or criticism of the Chinese government from being viewed or posted on the platform.
Phillip Gervasi: And I'm going to play the devil's advocate here and ask this question. Other than that controlled information, which obviously is either going to be nefarious in its goal or just isn't good for a citizenry, I get it. I get that. Other than that, who cares? What's the difference if Facebook knows what I like if it makes my experience better. And I get it, they're trying to sell, I mean, we kind of all already know this. We're training the model every time we click on a thing, so who cares?
TJ Sayers: And again, this goes down to that question of an individual or an organizational self- assessment, right? And I would say that that idea of who cares comes down to the individual or the organization. What do you care about what's exposed? Right? And I say that's probably a good question to ask for most social media out there. But when it comes to foreign owned, particularly Chinese owned social media applications, there's a much larger discussion and factor at play. Particularly what I would say is the threat equation. Threat is typically what's the capability? Is there intent and is there opportunity? And that gives you your overall threat equation. And with TikTok in particular, you have what's called the National Intelligence Law of the People's Republic of China. And essentially this was passed in 2017 by the National People's Congress, and then it was updated, I believe a year later in 2018. But essentially there's a couple articles in that intelligence law that is much, much different than US policy. And it's Article 7. Article seven essentially compels Chinese businesses who are registered or operating in the PRC, People's Republic of China to hand over information to Chinese intelligence agencies. And not only that, but this is a key component here, especially given that the TikTok CEO just recently came and gave testimony and was denying some of the allegations, is that it is also to conceal the fact that these organizations give it to the Chinese intelligence agencies. So not only are you compelled, but you also have to try to conceal the fact that you're providing that information. And then you also have Article 10, which makes the law applicable, not just within the borders of China, but also Chinese companies that are operating abroad. So think tech companies, a lot of other Chinese companies, those organizations can also be compelled to hand over user data even if they're operating beyond Chinese borders. So there's huge implications for this because the way the US operates is that there's intelligence law in place, there's executive orders, there's policy, there's regulations, there's all of these really important red tape as it were, to prevent the collection against US persons and US organizations. And it's very detailed and it's geared towards protecting the privacy and sensitivity and security of US persons, that's not reciprocated in China. China basically has carte blanche to gather whatever they want from these organizations, and they also have a completely different worldview than the US does. They've been known to target political dissidents. There's targeting of the Uyghur Muslim population in China doing really atrocious things, and they just don't have the same perspective on freedoms that the US would. So that's something we have to take into consideration when we're dealing with certain applications is what may this information be used for down the road beyond just revenue?
Phillip Gervasi: Okay, so let's say we have China or some country, any country using social media as a method to collect information for nefarious activity in some kind of state sponsored security, something really James Bond, I get that. But isn't TikTok predominantly 14 year old girls and maybe some other teenagers as well, boys as well. But my point is what would China want that data for? I don't get it. It's literally geolocation of a 15 year old girl in central New Jersey.
TJ Sayers: So there's two aspects here. First is they're not going to be children forever.
Phillip Gervasi: Okay, true, that's true.
TJ Sayers: And the information collected on them may be of great strategic advantage to China in the future. Maybe these kids, and I hope they do move into STEM fields where they're working at leading technology companies and working on really high profile new projects and things like that. Having access to information on that individual could be used for extortion. It could be used for manipulation. So just purely on that level, China's not a tomorrow thinker. They're thinking 5, 10 plus years down the road when they're collecting this information. It could also be used for any type of future military endeavors. If they have information on particular individuals who are in sensitive government positions, they may be able to extort those individuals or influence their thinking. And then the other aspect is it's present day what type of content is being fielded up to users? And I think it's good for the audience to recognize. There's actually two different versions of TikTok. We have the US version, and then you have Douyin, I believe is the pronunciation for Chinese users. And there's been a lot of studies and reports done on the differences between those two applications. And you have the Chinese version of TikTok, which is fielding up STEM related content. You want to be an astronaut, you want to be an educator, you want to be a scientist, things like that to Chinese kids. And then you have the US- based version, which is predominantly pure entertainment or by the estimation of some actually destructive content that's fueling like suicidal ideations, self- harm, eating disorders, everyone wants to be an influencer and everybody wants to something that's crazy and just gets views and clicks instead of trying to push them into STEM fields. If that's happening, that's certainly within the modus operandi of China, is they're trying to essentially usurp the US in particular on the economic and world stage as a leader in STEM fields. So it would make sense if that is happening that that's kind of falling in line with Chinese strategic policy.
Phillip Gervasi: Yeah. And you said if a few times, do we know that that's happening? I mean that they're doing that deliberately?
TJ Sayers: Based on the studies that have been done of the two applications a couple of years ago, that was certainly happening. What we've seen recently is the scrutiny of TikTok in particular, things seemed to have slightly shifted. So back when that application in particular was first analyzed and people were looking at it, there was a lot of stuff that was getting collected on TikTok, or at least TikTok was collecting on users that if you were to go and analyze today, may not be collecting the same information or fielding up the same content. There's an immense scrutiny. I mean, there were congressional hearings, the InfoSec community was interested in TikTok and there was a lot of blow back of what was happening, just kind of poor security practices and some of that stuff was corrected. And I think that's the big point here is that a simple application update could shift what's collected or what's not collected on that platform. If it's already existent on your device, if it's already on there, China could change what they want to collect and compel TikTok to share that information or to change their policy or what they're collecting. So I would say the TikTok of three to four years ago is probably different than the TikTok right now in June of 2023. But that's certainly not how it was in the past. And some of the things that they were collecting were scary, and the level to which they were obfuscating, what they were collecting was also novel for the social media platform industry at large.
Phillip Gervasi: Now we've been talking about TikTok and I get that, I understand why, but there are other very, very prominent social media platforms out there with millions or even billions of users. I mean, Facebook is the first one that comes to mind, but then there's also of course Instagram and Snapchat. In the professional sphere, we have LinkedIn, you can probably consider the chat function of YouTube as a type of social media. And then we have these new platforms coming online like Mastodon and Bluesky. So what are your thoughts on these other platforms other than TikTok?
TJ Sayers: Yeah, I mean most social media is going to collect very similar things, and I think that's a big takeaway for the audience today is it's not necessarily always what the social media company is collecting. It may be the intentions behind that company that are of concern, you may feel comfortable sharing certain information with certain organizations, and you may not be comfortable sharing that with other organizations. And that's a calculus that we have to factor in when we come down to larger big picture issues like this, where you have a particular nation allied with or adversarial towards another nation and citizens from, let's say the US are using a Chinese based application. There's larger implications to that. It's not just a platform that you hop on and have some fun with. That information could and very well may be used in the future for malicious purposes. So it really comes back to who's behind the application. And I want that to be a big takeaway. When it comes down to the actual collections off of things, like from a technical perspective, you can track a lot of this stuff through some type of man in the middle applications, network, sniffers. There's a couple of mobile applications that I've used in the past too that either create like a VPN tunnel or use the loop back address to filter traffic. I've used LockDown, Blokada, there's a bunch of others out there, but it'll let you see all of the application traffic on your mobile device that's going outbound. So certain API calls, certain domain calls, things like that. And you can see what these applications are doing so you can kind of view what's occurring. And a lot of the stuff that's collected is over API calls. It's device permissions, just simply over HTTPS or something like that. For TikTok in particular, they do API calls, device permissions, HTTPS stuff, and they're collecting on a permissions basis right now, like network state, wifi state if you're authenticated into the account or not, camera permissions, flashlight, internet access, other accounts that you have on TikTok. Let's see, I'm just reading through some of the things I put together here. So if audio recording is on, if vibrate is used, how long the screen's been on, things like that, just baseline kind of application privileges or permissions. And then things that are sent over HTTPS could be the operating system version, the resolution of your screen, the device brand and platform, CPU information, the language could be longitudinal or latitudinal information, so kind of location based stuff. Just things like that. And then you could have a lot of different things that would be really of interest tying something to you. And some of the other things that have been tracked by TikTok. Years ago there was suspicions that they were capturing the IMEI and IMSI of mobile devices. So IMEI is the International Mobile Equipment Identifier. Basically that's like the 15 digit unique identifier for each device. So it's tied to your phone. So if you get a new phone, that number will change. And even more concerning is the IMSI one, right? That's the International Mobile Subscriber Identifier, and that's particularly tied to your SIM card. So that typically follows you phone to phone. So even if you were using a particular application, it captured that IMSI and you went and got a new phone and popped your SIM card into that new phone, it's now going to track you on that new device. So it's going to know that even though you got a new device, you're the same user and it may start fielding you the same content or collecting information on what you're doing beyond just the device that you were using.
Phillip Gervasi: But this is all collecting information about who you are for some sort of behavior analysis. So again, they're training a model and adding all this to a very large data set. And also for behavior modification, like you said, so they're influencing a population. Maybe it's the American population of a certain age group, maybe a certain socioeconomic status, whatever it happens to be. But is there anything going on that we would say is a step further as far as actually trying to exfiltrate data that would be deemed more than private? Not necessarily secret because I'm not the federal government, but something that I literally don't want to share, but they now have access to.
TJ Sayers: Well, I'm not aware of a specific instance like that. That's not to say that if there was a particular information that they were after, they wouldn't be able to get it. They absolutely would be able to get it because that organization would be compelled by national law in China to collect and gather that information as obscurely as possible so that they can conceal the fact that they're doing it. And I think that concealing aspect is another thing I wanted to highlight here is that there's a lot of social media out there and a lot of these social media companies collect the same information and it's surely not all malicious, but one unique thing with TikTok in particular was the level to which they went to obfuscate what they were collecting and how they were collecting it. So a good example is not just using HTTPS, but they would have an proprietary algorithm laid over top of that to re- encrypt and send information off of the device. API calls also had a very custom signature that they were using to send off information. And the level of obfuscation that went into that platform in particular and what they were collecting was alarming to the security community. And it's an enormous undertaking to try to figure out all of those different aspects. You'd basically have to go in and reverse almost every single native library available and manually inspect obfuscated functions to figure out what's being done. So it's not just that they're collecting information, it's that there were extra measures and great lengths taken to prohibit identification of certain things being taken. And because you can update an application over time, it's very plausible that they may enable a certain function or update the application for a particular user for a time to collect something and then turn that setting off or turn that off so that they're not collecting that anymore. This all goes back again, it's compelled by law. If China comes to ByteDance, the parent owner of TikTok and says, we want you to specifically monitor these particular people and we want you to collect as much information as possible. ByteDance is then going to go to the TikTok CEO and probably the company at large, and they're going to say, you need to collect this information and then you're going to have to conceal that you're doing it. Something like that would not happen in the US with US companies. In fact, there's been instances in the past that are great use cases for this. Apple's a great example. There was an iPhone that was used by a shooter years ago. That particular iPhone, they wanted the backdoor, they wanted Apple to unlock it and decrypt it so that they could get access to that material and Apple refused. And it was one of those really hard decisions because yes, we want to know if there's other attacks going to happen, if there's going to be more ramifications beyond just the singular event, but backdooring that device and allowing the decryption of that device now is potentially going to set precedent to violate the privacy of everybody else using that device, right? Or using that particular application. So US companies have the law on their sides to push back against certain requests, whereas Chinese companies don't have that wherewithal or law backing to kind of push back if Chinese intelligence agencies come and ask something similar.
Phillip Gervasi: All right, so then what are some of the things that we can do to protect ourselves while we're using social media? I mean, I guess there's always the turn everything off method and we just don't use social media, don't install TikTok, don't use Facebook, don't have a Twitter account. But assuming that we're going to use social media, there has to be a way that we can use it safely. Maybe it's operating system choice or not using the app and then opting to use the browser instead or always using a VPN. I don't know. You tell me. What are the ways that we can be safe when using social media?
TJ Sayers: Yeah, there's a bunch of things that people can do. Particularly it comes down to kind of device choice in a lot of cases. So using a web browser on your PC is much better than using your mobile device and actually installing the application on that device. There's another level of privileges that's granted to that application once it has residence on your actual device compared to you just visiting it through a browser. If I was going to kind of give a flow as it were of privacy, if you were to use social media, like an extreme case, extreme privacy oriented case would be don't use it at all. Don't use any social media, but that's probably not doable for most individuals or really any organization out there because you want to get your message out and broadcast the good things that you're doing.
Phillip Gervasi: Well, it's like the whole idea of saying that I don't want to get into a car accident, so I'm never going to drive again or I'll never get driven again. I'll never be in a car again. I mean, that's just not realistic. And so in the same way, I mean we could say, oh, I don't want to have any privacy concerns or security breaches on my personal information, so I'll never use social media again. Well, I mean that's kind of the same thing. Social media is a tool, it's a technology. It's amoral in that sense, in the sense that it's just ones and zeros over a wire. And then the morality and the ethics come in with how that technology is used either by individuals trying to exfiltrate data or companies that are taking information, but perhaps for just innocent like business purposes, but without people's permission. And therein lies the problem. And you mentioned that there are some methods that we can do opting for using a particular social media platform via browser instead of installing the application. But I do have to say that I've used some of the browser versions of some social media platforms. I'm thinking of one in particular, and they are far less functional than using the application that you would install directly on my MacBook or on my phone. So I have to assume then that is... it suggests to me at least that these companies, these social media companies are pushing people to use the app, right?
TJ Sayers: Yeah, that's very common. Not only because of the permissions or having the application on your device, you have better opportunity to use certain functionality that's kind of standard I think for a lot of software, but it very well could be used to just push users to trying to use the application instead of visiting over the browser. But quickly to just finish the flow that I was going to outline is the extreme case is not using it at all. Next best would be not having the application installed, not using a mobile device at all and using some type of virtual machine on a PC to go visit your social media profiles where it's containerized and you're only posting and providing information that you can very tightly control. The next best case is just using a browser on a PC. Then I would say probably a browser on a mobile device and last resort actually installing the application on a mobile device. There's other things you can do too. So we talked about the different specific platforms are better than others. They're not all alike, so keep that into consideration. VPNs are great. They've become kind of commercialized and mainstream. I don't really know anybody who's not aware of what a VPN is now, but VPNs are still very helpful. And then also be careful of what you share. Be careful of when you're enrolling on these platforms, what information you're providing to enroll, what information you're sharing when you're on the platforms. Always review the settings. I get critiqued sometimes amongst my family of being the settings guy, but whatever I install on my PCs or whatever I install on my mobile devices, I always go through the settings and as soon as I see a privacy section or an area where I can lock things down and give myself or my family more privacy, I'll usually enable or disable those settings respectively. So just check out the settings. There's a lot of privacy functionality, especially built into US- based social media companies in recent years to try to safeguard your information. And then definitely separate personal from business use. So a lot of people will kind of conflate social media accounts between personal use and business use. That can get a little bit muddy just generally speaking between personal and business. But it also opens you up to additional scrutiny with people knowing here's the personal things you do and then here's the business that you work for and what you do. And they can use that for additional social engineering and targeting of building a bigger picture of who you are and what you do.
Phillip Gervasi: So then what specific things should I be? This is for the person who has no boundaries. They're out there, I know them. I know some of them by name, who don't care. Speaking to them, what are the few top things that you would recommend they consider locking down and not sharing? So off the top of my head, I don't share pictures of my family on social media, very rarely. If I do, it's a long distance picture that's kind of funny of my kid way out in a lake. I don't like to share pictures of my family because I feel like that's... I don't know who's out there looking at this stuff. But what else, what should people be concerned about sharing?
TJ Sayers: Me personally as well, family information. I think that that certainly opens you up to another level of social engineering. If someone wants to get access to you or manipulate you, they can then conceivably go after your family. So anything personal oriented like family, immediate family, somewhat extended family, I would be very careful of posting that stuff online. I would be careful of posting a lot of travel, especially if it's personal. We've seen that before where someone posts, " Hey, I'm going to be away for a week," and then their house gets robbed or something like that because hey, you were going to be away for a week and everybody knows you're not going to be home now. But a lot of other things on a more a technical level is ensure like geotagging in your photos is turned off. So a lot of times people will take a picture, they'll upload it to these platforms, and all the metadata in that photo potentially identifies literally almost to the coordinate level of where you took that picture, when you took that picture, all of that stuff. So be careful of that. I would also say, generally speaking, for most social media, if you don't have to share it publicly, just share only your social media with connections or contacts that you already have or friends you already have on social media. That can get a little challenging with things like Twitter because it's purposefully built to be out there. But just then be careful what you post on there. I wouldn't post things that are more sensitive or private on a public platform like that that you would consider just doing over a direct message and assume any direct messages sent over these platforms are no longer yours, that if someone wants to access them, they probably can. And then lastly, I would say for LinkedIn in particular, people put a lot of information, very granular stuff about their job and what they do and the fields they work in and what projects they were on. Some of that stuff can be proprietary or even classified information. So just be very careful of your career record on sites like LinkedIn because that one could give someone a competitive advantage because they know what particular technologies you're using. It could give a cyber actor some type of foothold to say, Hey, they're using this particular firewall appliance or this particular network intrusion model, or they have this particular email filtering service, or they're using this for their host level protection and it just gives them more information so that they can start building an attack model or profile to have success. And then you have too, the more strategic stuff we've been talking about where foreign organizations, foreign governments will take interest in certain fields, STEM in particular, where they see you on LinkedIn being extremely successful. Maybe you have a bunch of different publications you've worked on and you're well known in the industry and you would be a phenomenal target for solicitation. So they reach out to you, try to build connections, start targeting you with certain things, and they're just trying to collect information based on that relationship that they could use for a competitive advantage.
Phillip Gervasi: So ultimately what we're doing is trying to use common sense with a technology, which we do across the board in our lives with other technologies. I use common sense when I use my stove. But then being more cognizant of what I'm putting out there. So for example, you mentioned the metadata that's embedded in pictures. That's just a simple thing. It's just a simple setting that I can change, I assume. I've never actually done that, so that's something I'm going to do right away when we're done recording. And then the understanding that a lot of that information is being pulled in, not necessarily to hack you and steal all your bank account information and therefore all your money, but to build a profile of who you are. And for me, I'm not obsessed with privacy necessarily, but that does concern me because I want to know why. How am I being manipulated? How is my information being used in ways that I don't approve of?
TJ Sayers: Yeah, exactly. And I think it's important. We do live in a, quote, unquote, " globalized world," and we are highly interconnected all across the globe, but there are bigger things at play. There's the commercial level and the economics of it all where a lot of international organizations work together, but there are nations at the military and strategic political levels that are at adversarial to American way of life and to certain things that we're doing, and they will leverage this information to their advantage in the future if it comes down to some type of future altercation. So there's a lot of novel ways when you get to know somebody at a granular level, like a social media company may be able to do, where they can cater certain news to you or they could extort you in a particular way. Maybe you were looking at stuff that you would want to remain private, and then that organization could then come to you and extort you and say, " Hey, we're going to expose what you were looking at, or we're going to expose this relationship you have, or we're going to release these direct messages that you thought were private", and it's going to destroy your career or your reputation or stuff like that. People don't think about stuff like that when they're using these applications. And a adversarial nation will be very interested in leveraging that type of stuff down the road if it comes down to it to try to gain, again, an advantage, whether it's militarily, economically or whatnot.
Phillip Gervasi: Yeah. And ultimately, you mentioned direct messages, but really anything that goes onto that platform is now their intellectual property. Is that right?
TJ Sayers: Yeah, that's right. Yeah. That's another great point that people don't think about is it's your information and it may be private to you, but once you put it online, it's no longer private information, and it may very well be the intellectual property of whatever application or company you're using.
Phillip Gervasi: So maybe this is not answerable, but if I put pictures of my kids on Facebook, does Facebook now have rights to those pictures?
TJ Sayers: They do. They have rights to the pictures that are posted on their platform.
Phillip Gervasi: This actually makes me think of the fact that though I, me personally may be very good about my social media hygiene, if you will, making sure that I have the settings on my phone properly adjusted, so that way there is no metadata being revealed in the pictures that I post on Twitter. I don't post pictures of my kids on Facebook. I'm careful about sharing location on LinkedIn, whatever, all of those things. But then I go to a birthday party with my family and friends and I have family and friends that take pictures of me and my family, and without me knowing it, post those pictures on their social media and nothing nefarious, nothing untoward going on. It's just friends and family posting fun and happy pictures and happy messages, but without my permission and maybe without my even knowing about it. So there is still that issue out there, even if you are really good about your own social media.
TJ Sayers: Yeah, that's tough. You go to a wedding or a big family function and people take pictures of just the family and then they post them online. The one thing that I have always found helpful, at least personally, is that they are not going to be able to tag me because I don't have a social media profile to tag in that image. So unless they explicitly mention me or call me out or my family member by name, it's going to be harder to tie things back. But it gets down to some legalese stuff when you get into... if you post an image on Facebook, is it actually their image or do they just own a particular aspect of it or just the image on Facebook? There's a lot of complexity there that I can't speak to at a legal level, but certainly when you post stuff online, it's now public kind of domain. That's just an accepted thing nowadays. And then with a particular platform, they have some level of ownership over that information. So I haven't come up with a good solution for people taking pictures and posting them on without my consent. But it's just something that you want to be careful of.
Phillip Gervasi: Yeah, yeah. It's caused a little consternation in my extended family. And what it comes down to is that folks will come back to me and say, " Who cares? What's the difference? I mean, you're online." And I'm like, well, there's certain things that I'm okay with putting online. It's my choice, but there's certain things that aren't okay for me. And again, going back to what I said earlier, I know that there's a spectrum there that some people are okay with much more or much less and some with none at all. You mentioned that you have no social media profile whatsoever, but there is a line for me, and when it comes to my immediate family and certain elements of my personal life, they don't go out there. So for example, I use Twitter almost entirely for tech stuff. There's a very little bit that I put out there that's personal, and to be honest, that's more just to show that I'm a real person and I don't just retweet links to some tech article. And I use LinkedIn for the same thing, zero personal stuff on LinkedIn. I've experimented with some other social media, but it's mostly, like you said, in a strategic way to build a brand to connect with other like- minded engineers. Yes, there's a tech community out there. I remember using chat in the late 90s when it was brand new and even before that. So it's a very helpful technology for folks that want to get together and have these discussions and help each other get through a cut over that went sideways or something like that. So there's a lot of value there, but certainly it's very eyeopening or it has been very eye- opening in this last hour. Discussing with you what's being collected to what extent how from a technical perspective, a lot of it without our knowledge whatsoever, as soon as we hit accept there, it kind of opens the floodgates, right?
TJ Sayers: Yeah. It's one thing to visit a social media website and not have an account. Twitter's a great example. A lot of people can view Twitter feeds and stuff on Twitter and get news from Twitter without necessarily having to have an account. And then surely we mentioned already, not all social media is created equal. So your potential exposure on Twitter is going to be much different than all the information you may have on a Facebook account if it's still public and not private to just your contacts compared to using TikTok and the stuff that's collected there, there's all these different risk and threat calculations for different platforms. So it's a hard decision to make for a lot of individuals and organizations on what to use and what not to use. But it's important to know going into it that there's a lot of information you may not realize is being collected, and it may just purely be for revenue generation for that company, but there may also be ulterior motives down the road, and you don't want to get wrapped up in something that you were unintentionally scooped into because you just didn't have the knowledge going into it.
Phillip Gervasi: Does CIS and other like organizations actively and proactively monitor social media for this kind of activity?
TJ Sayers: We don't proactively monitor social media specifically for what we're talking about here, but we certainly monitor from the ISAC perspective. Post made by threat actors or other malicious actors against election offices or against state, local, tribal, territorial US governments. Anything that's going to be affecting our membership base, we'll monitor for that type of stuff. But this is more of a telemetry based, long term strategic type of thing of what some of these platforms collect and what they could be used for. That's a little bit outside of the domain of CIS. But we keep a close eye on stuff like this. Particularly a couple years ago, one of the teams I oversee, the Cyber Threat Intelligence team took a particular interest to TikTok. Particularly because of the thing with the level of obfuscation that was in place on that application and some of the things that they were known to have been collecting years ago. And we wrote a blog post just kind of bringing awareness to it. Around that same time, DOD banned TikTok on their devices. A lot of states are now banning TikTok. It's banned off of certain federal devices and things like that just because of the risk of what it could be used for down the road or even presently to collect information. And we currently have a blog post on our website. If people want to go on cisecurity. org, they can go check it out. It's TikTok: Influence Operations, Data Practices Threaten U.S. Security.
Phillip Gervasi: Yeah, we'll definitely link to that in the show notes. So then who is doing the monitoring? And I mean, you mentioned some studies earlier, who were doing these studies? Is it government and para- government organizations, or at least the security arms of those organizations?
TJ Sayers: Surely US governments are interested in this stuff. I'm not going to go through and name them, but most of the really interesting public researches that have been done is through independent security researchers and certain security based companies who've released the reports outlining, " Hey, we checked out this application, here's what we observed. Here's the things that we saw it reaching out to and how it's doing it," and just bringing awareness to the space.
Phillip Gervasi: Well, TJ, this has been a really great conversation so far, and we are approaching an hour or so. I'd like to wrap it up. Before we do, I'd like to say, my goodness, is social media a love- hate relationship for me? I mean, over the years, I have connected with so many great engineers, many of whom I've become friends with and who have helped me as an engineer in my career. And I hope I've also been able to help a little bit as well. And also just the community that I've been able to be a part of via various social media. I mean, that's how I've built my career over the better part of a decade now. But at the same time, yeah, especially in very recent days, growing concern over security issues and probably more so privacy issues. And of course, not to mention some of the stuff that I see in my feed these days. So for me personally, I still value social media very much, but I appreciate the eye- opening conversation that we've had and the information that you've been able to share. So as we close out now, TJ, if folks have a question for you or a comment, how can they reach out to you?
TJ Sayers: Yeah, I would direct them to CIS, particularly media @ cisecurity. org. And I'll pass along that information over to you, Phil, and if they have any questions, they can route them through there and be happy to answer them.
Phillip Gervasi: Great. And I won't ask you for any social media because you don't have any. But you can find me online still. I am active on Twitter @ Network_phil. You can search my name in LinkedIn and if you have an idea for a show or you want to be a guest, please reach out to us at telemetrynow@ kentik. com. So until next time, thanks for listening. Bye- bye.
Do you dread forgetting to use the “add” command on a trunk port? Do you grit your teeth when the coffee maker isn't working, and everyone says, “It’s the network’s fault?” Do you like to blame DNS for everything because you know deep down, in the bottom of your heart, it probably is DNS?
Well, you're in the right place! Telemetry Now is the podcast for you!
Tune in and let the packets wash over you as host Phil Gervasi and his expert guests talk networking, network engineering and related careers, emerging technologies, and more.