Ron Kelson, Pierluigi Paganini, Fabian Martin, David Pace, Benjamin Gittins
In our first article we talked about the intentional or unintentional disclosure of personal information in social networks that can expose you to logical (computer-based) threats and we gave you some recommendations about how to properly manage this risk of exposure.
In this article we will touch on a much more delicate aspect of your online existence. We ask this question:
“Can your public disclosure (of information) in the virtual world expose you to any kind of threats in the real world?”
Social networks are a way to contact people, to make professional relationships, a means to share your personal or professional life. Sometimes you use blogs as a way to simply record your thoughts, your feelings and your memories. This is fine, but the problem is that most of us are not sufficiently aware of the (default or otherwise) security settings of social network (publication) systems, or of the potential ramifications of exposing specific items of personal information to the world.
First of all, lets look at the type of information you are publishing in the virtual world. Are you posting information about your lifestyle: such as trips, cars, the brand new top-of-the-line smartphone you bought last week, your last visit to a Louis Vuitton store? Are you posting information about your family and relatives? Does your job description in LinkedIn describe you as a CEO, CIO, or other position that indicates that you could be earning a lot of money?
Of course at this moment you may be double-guessing what comes next. Maybe you have that uneasy feeling in your stomach, and are thinking:
“Ok, here they come again with that paranoid fear thing”.
There’s no need to worry. We will not be paranoid. But we will give you some facts.
It is not uncommon to find a lot of profiles on the Internet that openly publish/expose a lot of personal information. A recent informal research of 20 hours effort made by a Brazilian hacker team found more than 200 open profiles on the MSN-Network (MSNMessenger, Hotmail…). During that time they collected the following statistics:
The Brazilian hacker team identified some profiles as belonging to teenagers who openly exposed themselves in provocative, sexy or otherwise alluring photos. Many profiles of teenagers published photos of their parent’s “new car”, “new boat”, and so on.
These results were acquired in just a few hours, so we can only imagine what they could achieve if they allocated more time, or programmed computers to automate the process.
When not properly configured, social networks may expose significant information about you, your social behaviour, your relatives, friends and colleagues. Complete strangers can track your last trips, recognise your cars and their number plates, identify the restaurants you go to, and the people that surround you. They may also be able to establish your religious or political beliefs, nationality and other characteristics that may be subject to prejudices. They can identify (profiling) if you take high risks in your personal life (for example, party hard, drink heavily, and so on). Then he/she can take a look at your company, discover your position and figure out your social level and, almost certainly, your income. This could be used to identify you as an attractive partner. However, it can also be used to select you for targeted physical attacks, including theft, stalking, harassment, date rape, extortion, blackmail or kidnappings.
Consider that this threat is not only confined to unwary users, apparently some high-ranking Nato officials have demonstrated interest in using social networks, and this has been exploited by cyber criminals.
A series of articles published since 2007 have studied the question regarding the lack of security promoted by the use of social networks, and the way social networks are financially motivated to expose your private information to others in various ways. Mexican journalist Joaquín López Dóriga has carefully studied how kidnappers exploit social networks as a tool to profile targets, and execute physical attacks. We are not talking about the use of computer malware. We are not talking about the use of targeted phishing attacks. We are talking about the risks arising as a result of employing low privacy settings on social networks, and the consequences that can arise from the indiscreet disclosure and publication of personal information.
In Third World countries, “lightning kidnapping” is very common. The process is as follows:
The attackers search social networks for interesting targets, refining their search for ideal targets by keywords such as “Trip”, brand names of expensive products, matching searches against your “likes” and by inspecting published photos.
After identifying an interesting match (for example, affluent? living alone? no dog? travels regularly to the same places? has a good job? doesn’t work out at a martial arts centre? and so on), they identify your habits and where you will most likely be at any given time of the day.
The kidnapper then abducts their target in the morning. They take you, under duress, to places you normally visit. They force you to withdraw cash from ATMs you normally use, buy items they use with your credit card, then take your mobile/cell phone and leave you in a remote location.
This type of attack does not raise any “warning flags” in any financial security systems, because the attacks occur in locations you frequent, and spend money on expensive items that fit your personality type.
“Lightning Kidnapping” may be uncommon in Malta, but similar strategies can be employed to identify when people won’t be home in order to steal their items or to identify people susceptible to various types of scams or attacks in the real-world, such as “date rape” or drug facilitated sexual assault.
Last year, during a hackers conference in Brazil − The H2HC − Hackers to Hackers Conference − a study was presented where some security researchers visited a used computer server store and bought an old server that used to be owned by a major financial institution. They took that server home to study the efficiency of the security cleaning procedures, significant for forensic computing purposes. They were surprised when they discovered that the server contents had not even been erased! Even worse, they were able to access a database with hundreds of profiles of “private bank investors” (affluent people who had invested more than US$1 million). With that sensitive information in hand, and under supervision of a lawyer, they designed an experiment to answer this question:
“How easy is to get physically close to some of these people?”
Well, to shorten the story, in just a few weeks they were able to discover the home address of an investor, get pictures of his house using Google Street View, found the investor’s personal account on Facebook and then started to analyse his social network. The hackers become friends of his friends online (remember our last article on this?) and, finally, were able to meet the investor in person at a party (through his network of connections) and even shake his hand…
So, read the fine-print agreement before joining a new network. Be sure that the information you post is only about you and that you can remove that posting anytime you want. Complete control of information is the main weapon of defence in the hands of users; always check what protection the laws of your country give you. Be sure that you can moderate any third-party posting about you. Take some time to learn how to properly configure the public level of exposure of your profile(s). Check and find out what a complete stranger may be able to learn about you from your social network postings. Think carefully about what kind of information you are exposing. You do not need to become paranoid, but you also must not be negligent because you can be putting your friends and family in danger, without knowing it. At the very least, your personal lifestyle choices may be a reason for prejudice from potential employers and risk impacting your ability to improve your financial and career position.
So, it is a fact that social networks can expose you to not just logical/computer threats but also to a wide range of physical threats from complete strangers/predators.
Recommendations to “Keep in mind”
- It is not a contest to get the most “Friends”. Two hundred friends means you are “publishing” your life story to at least 200 people, each of whom may then gossip about you.
- Don’t be fooled into being “pressured” to be “Friends”. It’s not friendship, it is someone subscribing to the publication of your day-to-day activities.
- “Unfriend” that is “unsubscribe” those people who really shouldn’t be tracking your day-to-day life.
- Think about your postings… Who are you giving this information to? Would you normally give out this information in a verbal conversation to each of these people? Do they have a legitimate reason to know? How will they respond to what you have just said? Who will they tell? If you are starting to think that these are too many questions to consider for each person, maybe you are broadcasting your life story to too many people.
- Restrict access to your detailed profile information only to your close trusted friends
- Reduce how much information you expose to people that you are not very close to.
- Restrict the amount of social networks you join. It is difficult to safely manage many different profiles.
- Be close to your children and help them manage their virtual exposure.
Prof. Fabian Martins (http://br.linkedin.com/in/fabianmartinssilva) is a banking security expert and product development manager at Scopus Tecnologia, (http://www.scopus.com.br/) owned by Bradesco Group.
Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs (http://securityaffairs.co/wordpress)
Ron Kelson is vice chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited ([email protected]).
David Pace is project manager of the ICT Gozo Malta Project and a freelance IT consultant
Ben Gittins is CTO of Synaptic Laboratories Limited. [email protected]
ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Malta Government, Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Support Awards. www.ictgozomalta.eu links to free cyber awareness resources for all age groups. To promote Maltese ICT, we encourage all ICT professionals to register on the ICT GM Skills Register to keep abreast of developments, both in cyber security and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace at [email protected] or phone
+356 7963 0221.