{"id":16958,"date":"2020-06-29T15:09:07","date_gmt":"2020-06-29T11:09:07","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/unusual-ways-to-leak-info\/16958\/"},"modified":"2020-06-29T15:09:56","modified_gmt":"2020-06-29T11:09:56","slug":"unusual-ways-to-leak-info","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/unusual-ways-to-leak-info\/16958\/","title":{"rendered":"4 ways to royally leak your company data"},"content":{"rendered":"

If you post pics of concert tickets on Instagram without hiding the barcode, someone could get to see your favorite band instead of you<\/a>. The same can happen even if you do hide the barcode, but with the wrong tool.<\/a><\/p>\n

That said, remembering to conceal the barcode properly before bragging about tickets isn\u2019t so difficult. It\u2019s a totally different matter when you post a photo online without noticing a ticket or, say, a sticky note with passwords accidentally in frame. Here are several cases when people published confidential data online without realizing it.<\/p>\n

1. Posting photos against a password backdrop<\/h2>\n

Photos and videos taken in offices and other facilities reveal passwords and secrets way more often than you might think. When taking snapshots of colleagues, few people pay attention to the background, the result can be embarrassing \u2014 or even dangerous.<\/p>\n

Military (lack of) intelligence<\/h3>\n

In 2012, the British Royal Air Force put its foot in it<\/a>, big time. Along with a photo report about Prince William, who was then serving in an RAF unit, login details for MilFLIP (military flight information publications) were made public. A username and password on a piece of paper adorned the wall behind the Duke of Cambridge.<\/p>\n

Soon after their publication on the royal family\u2019s official website, the images were replaced with retouched versions, and the burned credentials were changed. Whether they were pinned on the wall again is unknown.<\/p>\n

\"MilFLIP<\/a>

MilFLIP login credentials as interior decoration. Source<\/a><\/p><\/div>\n

The Prince William incident is hardly unique. Lesser-known military personnel also share secrets online, both with and without the help of the press. For example, one officer published a selfie on a social network<\/a> against a backdrop of working displays showing secret information. The serviceman got off lightly with \u201cre-education and training.\u201d<\/p>\n

On-air leak<\/h3>\n

In 2015, French television company TV5Monde fell victim to a cyberattack. Unidentified individuals hacked and defaced the organization\u2019s website and Facebook page<\/a>, and they interrupted broadcasting for several hours.<\/p>\n

Subsequent events turned the story into a farce. A TV5Monde employee gave reporters an interview about the attack \u2014 against a backdrop of passwords<\/a> for the company\u2019s social media profiles. In the images, the text is hard to read, but enthusiasts were able to get the password for TV5Monde\u2019s YouTube account.<\/p>\n

Coincidentally, it was also a lesson in how not to create a password: The secret phrase in question turned out to be \u201clemotdepassedeyoutube,\u201d which, translated from French, is literally \u201cyoutubepassword.\u201d Fortunately, the company\u2019s YouTube and other accounts emerged unscathed. However, the password backdrop story provides some food for thought regarding the initial cyberattack.<\/p>\n

\"TV5Monde<\/a>

TV5Monde employee gives an interview against a backdrop of passwords. Source<\/a><\/p><\/div>\n

A similar incident occurred just before Super Bowl XLVIII, in 2014, when the stadium\u2019s internal Wi-Fi login credentials<\/a> snuck into the lens of a TV cameraman. To add irony to injury, the footage came from the command center responsible for event security.<\/p>\n

\"Wi-Fi<\/a>

Wi-Fi login credentials displayed on a screen in the stadium command center. Source<\/a><\/p><\/div>\n

2. Using fitness trackers<\/h2>\n

Devices that you use to monitor your health might very well enable someone else to monitor you<\/em><\/a>, and even extract confidential data<\/a> such as a credit card PIN code from your hand movements. True, the latter scenario is a bit unrealistic.<\/p>\n

But data leaks about the location of secret facilities are, unfortunately, perfectly true-to-life. For example, the Strava fitness app, with a user base of more than 10 million, marks users\u2019 jogging routes on a public map<\/a>. It has also lit up military bases<\/a>.<\/p>\n

Although the app can be configured to hide routes from prying eyes, not all users in uniform, it seems, are versed in such technicalities.<\/p>\n

\"Soldiers'<\/a>

Soldiers\u2019 movements at a US military base in Afghanistan shown by Strava heat map. Source<\/a><\/p><\/div>\n

Citing the threat of new leaks, in 2018 the Pentagon simply banned deployed US soldiers<\/a> from using fitness trackers. Sure, for those who don\u2019t happen to spend their days at US military bases, this solution may be overkill. But all the same, we recommend taking the time to configure the privacy settings in your fitness app.<\/p>\n

3. Broadcasting metadata<\/h2>\n

It\u2019s very easy to forget (or not know in the first place) that secrets can sometimes be hidden in information about files, or metadata<\/a>. In particular, photographs often contain the coordinates<\/a> of the place where they were taken.<\/p>\n

In 2007, US soldiers (there seems to be a pattern developing here) posted online photos of helicopters<\/a> arriving at a base in Iraq. The metadata of the images contained the exact coordinates of the location. According to one version of events, the information was subsequently used in an enemy attack that cost the United States four helicopters.<\/p>\n

4. Oversharing on social media<\/h2>\n

You can learn some secrets simply by looking at a person\u2019s friends. For example, if salespeople from a particular region suddenly start appearing<\/a> in the friend list of a company manager, competitors may conclude that the organization is searching for new markets, and try to steal a march on it.<\/p>\n

In 2011, Computerworld<\/em> journalist Sharon Machlis carried out an experiment<\/a> to glean information from LinkedIn. In just 20 minutes of searching the site, she found out the number of moderators of Apple\u2019s online forums, the setup of the company\u2019s HR infrastructure, and more.<\/p>\n

As the author admits, she didn\u2019t find anything like a trade secret, but Apple prides itself on taking privacy more seriously than the average company. Meanwhile, from the job duties of an HP vice president, again listed on LinkedIn, anyone could find out<\/a> what cloud services the company was working on.<\/p>\n

How to avoid inadvertently spilling data<\/h2>\n

Employees can unwittingly share a lot about your company. To keep your secrets from becoming public knowledge, set strict rules for publishing information online, and inform all of your colleagues:<\/p>\n