Follow Cybersecurity Best Practices to Protect Yourself from Tracking Technologies and Spyware
Description
The Bottom Line
Tracking technologies allow third parties to gather information about you. Some particularly insidious tracking technologies constitute a class of software known as spyware, which threat actors can use to track your location and communications, access the data on your device, and even activate device functions like the camera and microphone without your knowledge. Applying lessons earned in Project Upskill will make it harder for threat actors to install this technology on your device.
The Problem
Tracking technologies can gather information about individuals, often without their knowledge. Threat actors can use these technologies to develop targeted cyber campaigns.
Topic 6.0: Limit your digital footprint covered some of the ways that data brokers collect your personal information and build detailed profiles that can be sold by almost anyone―including threat actors.
Topic 6.2 covers other forms of tracking technology that can be used to develop a targeted cyber campaign. While commercial entities use some of these technologies to personalize their marketing and enhance their products, threat actors can also use them for malicious purposes.
Adware and cookies are two common tracking technologies, primarily used by commercial entities, to learn more about your interests, preferences, and activity online and across apps―but threat actors can abuse them.
Threat actors can abuse adware in phishing attempts by creating distracting pop-ups that contain malicious links you are likely to click on and inadvertently give them access to your device and data. In addition, adware used for legitimate commercial purposes carries the same risks captured in Topic 4.2, since this information can end up in data broker profiles that can be bought and sold by virtually anyone.
Cookies are another tracking technology that install small bits of code on your browser or device when you visit a website. Tracking cookies can collect anything from how long you spend on a website, to the phrases you type into a search engine, to any personally identifiable information it can obtain from your web browser use. Data brokers and advertising networks can use cookies to compile and sell your information. Threat actors can also develop cookies to obtain information about potential targets.
Keyloggers, rootkits, stalkerware, and trojan horses are technologies that threat actors of varying levels of sophistication can use to track you and access your device, accounts, and data.
These technologies can be used to obtain passwords and gain access to accounts containing sensitive information, activate your device’s camera or microphone, or gather anything from calls and messages to keystrokes, locational data, web browser activity, and app or social media activity.
Technologies that meet the definition of spyware are often used to intimidate, silence, and suppress high-risk communities, including dissidents, activists, human rights defenders, journalists, academics, and humanitarian organizations.
Not all tracking technologies constitute spyware. In December 2022, Congress defined spyware to encompass software that enables unauthorized users to remotely access information stored on a device or transiting the internet. Spyware includes technologies that can remotely record telecommunications or audio, track locational data, or access text messages, files, emails, contacts, photos, or browsing history on a device not owned by the unauthorized user. Spyware is often used in targeted cyber campaigns to surveil high-risk communities without their knowledge.
The Solution
If you believe you are being personally targeted by a sophisticated threat actor and you have a macOS or iOS device, you can turn on Lockdown Mode, which will essentially “lock down” some features on your device to minimize your vulnerability to a cyber intrusion.
See About Lockdown Mode - Apple Support to learn more about Lockdown Mode and how to enable it on your macOS or iOS device.
Only download software from its original source.
Fake versions of real applications (apps) are often available from malicious sources. Only download apps directly from your operating system’s (OS) app store (or, as applicable, a trusted app store).
Reboot your device weekly.
In some cases, powering off your device will rid it of spyware that has been installed. Therefore, you should establish a habit of rebooting your device weekly.
Complete Project Upskill to reduce the likelihood that tracking technology is successfully installed on your device and able to access sensitive data:
- Implement user account control to make it harder for threat actors to gain access to critical device functions and data. (Project Upskill Topic 1.0)
- Routinely update your OS and apps to reduce the likelihood that a threat actor can exploit vulnerabilities and access your device. (Project Upskill Topic 1.1)
- Install antivirus and anti-malware software to detect malicious software on your device. (Project Upskill Topic 1.2 )
- Manage your application permissions to minimize the amount of data third parties might be able to access on your device. (Project Upskill Topic 1.3 )
- Vet technology products and services before you add them to your digital ecosystem to avoid introducing vulnerabilities into your digital ecosystem. (Project Upskill Topic 1.4)
- Manage the physical security of your digital devices to prevent threat actors from stealing your devices or inserting malware. (Project Upskill Topic 1.5)
- Use long, random, and unique passwords to reduce the likelihood that a threat actor can compromise your account. (Project Upskill Topic 2.0)
- Use a password manager to help you generate and remember strong passwords. (Project Upskill Topic 2.1)
- Use multifactor authentication (MFA) to bolster your account security. (Project Upskill Topic 2.2)
- Encrypt your devices (system encryption), external removable media (drive encryption), and documents (file encryption) to prevent threat actors from accessing your data. (Project Upskill Topic 3.0)
- Protect data stored on old devices that you no longer use by using system encryption and storing old devices in a safe. (Project Upskill Topic 3.1)
- Use secure messaging apps for calling and texting to prevent threat actors from eavesdropping on your communications. (Project Upskill Topic 4.0)
- If you have to email sensitive information and don’t know how to set up end-to-end encryption, attach an encrypted document to your email to prevent threat actors from eavesdropping on your communications. (Project Upskill Topic 4.0)
- Only visit websites beginning with HTTPS:// to protect any information that you exchange with that website. (Project Upskill Topic 4.1)
- Routinely update your browser, close it out frequently, and change your browser settings to limit and clear cookies to minimize the amount of data third parties might be able to access. (Project Upskill Topic 4.2)
- Ensure that any cloud service you use offers MFA and encrypts your data while at rest and in-transit to protect your data. (Project Upskill Topic 4.3)
- Modify the router settings for your home Wi-Fi to maximize your privacy and security. (Project Upskill Module 5)
- Disable your Ad ID and consider making requests to data brokers and other online platforms to delete your data to minimize the amount of information publicly available about you on the internet. (Project Upskill Topic 6.0)
- Be cognizant of what information you (and your family and friends) share about you online to reduce a threat actor’s ability to conduct open source intelligence on you. (Project Upskill Topic 6.1)
- Be alert for potential phishing attempts to reduce the likelihood that a threat actor steals your credentials or inserts malware on your device. (Project Upskill Topic 6.1)
Project Upskill is a product of the Joint Cyber Defense Collaborative.
Prerequisites
- Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
- Module 2: Protecting Your Accounts from Compromise
- Module 3: Protecting Data Stored on Your Devices
- Module 4: Protecting Your Data in Transit
- Module 5: Securing Your Home Wi-Fi
- Module 6: Managing Your Privacy and Security Online
- Topic 6.0: Limit Your Digital Footprint
- Topic 6.2: Manage your Online Presence