Volunteer your services, not your personal information

With the increase of natural disasters in the United States, more people are getting involved in the relief effort by donating their time. Ad-hoc volunteer groups are using free tools to join and lend a hand, but is their information safe?

After seeing the devastation from hurricanes Harvey and Irma, many people wanted to help the victims. Some donated money, while others donated their time and traveled to neighborhoods and helped homeowners clean up. Having helped during super-storm Sandy, I know that there is nothing more rewarding then helping others during this trying time. But sadly, there are fraudsters who take advantage of situations like this for illicit financial gain.

When we hear about fraud stemming from these events, we usually think of fake donation sites, unscrupulous thieves passing themselves off as contractors and an uptick in hurricane relief phishing emails. Yet, something I’ve noticed seems so benign, if I wasn’t indirectly affected by it I wouldn’t have even thought about it. I’m talking about harvesting personal information from unprotected Google Drive documents used in many communities or among friends as a free and convenient way to mobilize and assist the hurricane victims.

Here’s an example of how a good thing can be used for bad

Small-town USA has a dedicated group of volunteers who mobilize anytime there is an emergency in the community. They keep track of the volunteers in a Google Drive spreadsheet which is made public so anyone in Small-town can join. To publicize the spreadsheet, a link was posted on all the small-town volunteer and local government sites. Within the spreadsheet is a listing of each volunteer with their name, mobile number, address, email address and availability. There is also a comments field so each person can let the coordinators know of any issues that may preclude that person from helping in a specific event.

One person (let’s call her Sue) says in the comments field that she and her family will be out of the country from September 1 through 22. As most of you begin to grin because you know where I’m heading, Sue has no clue that she has done anything wrong, in fact she feels pretty good that she has advised the group that she will be available to help anytime except those dates.

Needless to say, when Sue and family returned home they found their home ransacked and many of their possessions gone. But something else happened, some people on the spreadsheet started receiving a large amount of robo calls on their mobile phones and other solicitations via email. Some were spear phished with information they had entered into the spreadsheet. It seems that because the spreadsheet was public, nefarious individuals were searching and came across this list of 250 community members and their information.

I created the scenario above based on an experience I had of being asked to join a carpool list for a friend of mine who needed people to drive him to therapy twice a week. A shared Google Drive spreadsheet was created so friends could sign up to drive him. We were asked to fill in our name, mobile number and the dates we were available (no email addresses were posted). As I use a Google voice number when I don’t want to give out my mobile number, I started noticing within a few weeks that I was receiving a lot of calls on that number to pay off my student loan or refinance my house. I even received a call from the IRS in Washington saying that I was going to be arrested shortly for not paying my taxes. I decided to change my Google voice number on the web document and see what happens. To my surprise, my robo call volume went down after a while but of course they haven’t ceased.

While I am not certain that my mobile number was taken from that sheet, it made me think how easy is it to search for public documents which contain an abundance of information. Many large corporations don’t allow their employees to post anything to Google Drive at work. But mid-sized and smaller companies usually don’t have the expertise in-house to control that, or even know it could be a privacy and security issue.

If you are a business you should check out G Suite from Google Cloud as a more secure alternative to Google Drive although there is a fee involved.

The following suggestions are a few fundamental things every person should do in order to minimize the threat of data leaking from documents if you are using Google Drive:

  1. Even with access and privacy controls, never upload or post confidential company or personal information. It’s your job to ensure the security and privacy of the documents, not Google or whatever cloud service you use.
  2. Ensure data at rest is encrypted. There are inexpensive alternatives in the cloud where you can store your information in an encrypted form.
  3. Change your defaults to maximum privacy. If you need to have specific people access certain documents, send them a link via email.
  4. Create folders on your Google Drive which can be either public or private. By creating folders, you can add files to the folders which will take on the security characteristics rights of the folder itself.
  5. If you need to keep your documents public, remember that the information is potentially viewable by everyone. Post your information accordingly.
  6. Smaller organizations without a security SME should consider blocking access via a proxy server to deny employee access to Google Drive. If you have configured it correctly and have other controls already in place you can greatly reduce the risk of your confidential information ending up on this medium.

Although I have only listed six tips above which apply to home uses and companies, by having strong security policies, procedures and controls at your organization you can greatly reduce this additional risk.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)