Image geotags, metadata, and location information can allow competitors, cybercriminals, and even nation-state threat actors to gain knowledge they can use against organizations. Credit: Gerd Altmann Marketers in every industry enjoy evidencing their reach to their superiors and providing tangible examples of their width and breadth of influence via social networks, media, and other means of engagement. Photos of both customers and employees engaging at hosted social events, trade shows, conferences, and direct one-on-one encounters are often viewed as gold. Couple this with the individual employee’s or customer’s photos working their way onto social network platforms for others to see and admire, and the value of that gold increases, success being quantified by impressions, views and individual engagements.Harvesting photo data for competitive intelligence, targeting attacksThe value of that gold doubles when not only does the company harvest data and call it a success, but their competitors also analyze such photos capturing a plethora of useful data points, including geotagged data, metadata of the photo, and identity of the individuals caught in the frame. They, too, call it a success. Yes, the digital engagement involving location data and or location hints within photos is a double-edged sword.It isn’t just competitors who harvest the data. Criminal elements and nation-state intelligence and security elements do as well. Francis Bacon’s adage, “Knowledge itself is power,” applies. With location, time and place, and identity, competitors, criminals, and nation-states are given their initial tidbits of openly acquired information from which to begin to build their mosaic. Warnings on physical and digital targeting galoreThe State Department’s Overseas Advisory Council (OSAC) in a publicly available warning notice highlighted the physical and digital targeting that can take place via location sharing. OSAC’s audience is predominately U.S. companies conducting business abroad. They mince no words, “Location sharing is the easiest way for malicious actors to find you in real life.” Similarly, as far back as 2012, the U.S. military has been warning personnel of the security risks associated with posting information that provides the location of personnel, specifically calling out applications that access an individual’s precise location. (Are there apps that don’t do this?) For this reason, many travelers opt to use travel phones, essentially a burner phones, for use to communicate with both office and family, but without the risk of being directly associated with the individual, thus providing pieces into the targeting mosaic which may be in the process of creation by a third party.For years privacy advocates have been advocating for individuals to tame their desire to let the world know what they are doing and where they are doing it, cataloging this as TMI (too much information). When identifying where you are, you are also highlighting where you are not. Information is monitored and exploited by those investing a few moments of their time to monitor the social media flow of a targeted individual or entity. Corporate travel programs should be addressing the need for discretion in their annual and pre-travel briefings for executives. Canada’s Royal Canadian Mounted Police (RCMP) have also issued warnings to individuals concerning their desire to share and tag themselves and others. Their recommendation is to turn off the geotag function on your devices, so as to reduce the likelihood of being targeted.Yet, when on vacation the urge to share is overwhelming and has unfortunate results, not always for the individual sharing, but for the people, place and things which are located within the frame of the photo. A few examples:Ukraine: It is well known that Ukraine is pulling out all stops to own the cyber information space, which includes harvesting data off images posted by those in Russia on various online forums. Most recently a Russian tourist took a selfie of himself and a Russian S400 missile system. Ukraine’s Ministry of Defense posted a mocking video of Russian tourists in Crimea, suggesting that it was not a place to visit.Ukraine again: Similar to the harvesting of openly available information, the enterprising Ukrainians have taken to catfishing Russians online. A group called “HackControl,” a.k.a. “Hackyourmom,” has a cadre of personnel managing multiple personas on social networks such as Facebook and Russia’s Vkontakte (VK) which they use to induce Russian soldiers deployed in the Ukraine to share photos of themselves, often photos that contain useful geotags, metadata and other information of use to the Ukrainian defensive effort. Mykhailo Fedorov, Ukraine’s minister of digital information, was quoted in the Washington Post, “We’re getting thousands of reports per day. They’re very, very useful.”Africa: On nature preserves, rangers have placed signs in strategic locations imploring tourists to do their part in saving their animals. “Please be careful when sharing photos on social media. They can lead poachers to our rhino. Turn off geotag function and do not disclose where the photo was taken.”What CISOs should do about photo sharing?The bottom line for all CISOs is to educate through awareness training how seemingly innocent behavior may inadvertently place individuals and the company at risk, simply by wishing to be social or to demonstrate their entity’s marketing reach. OSAC’s advice is to never check-in, avoid advertising where you are going, only post where you’ve been, and avoid revealing businesses or locations you visit frequently. Related content feature What is IAM? Identity and access management explained IAM is a set of processes, policies, and tools for controlling user access to critical information within an organization. By David Strom May 07, 2024 12 mins Identity Management Solutions IT Leadership Security news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 07, 2024 12 mins RSA Conference Security news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to give security teams information to inform approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins Google Cloud Functions Cloud Security Security Software brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe