What Does The World Know About You?

Social networking sites have become living biographies of people and may set them up for social engineering attacks. From time to time I enjoy looking to see what I can find out about people who send question to me using the AskESET@eset.com address. I won’t ever name names, but I wanted to share one example.

So, in the interest of protecting an identity, which seems a bit silly since she didn’t really protect her identity, I’ll say the person of interest is Jane Doe. Of note, the more common a name is, the more difficult it is to accurately identify the person. In this case I had a first name and last name, and email address, and the city in which Jane lives. Simply using Google I was quickly able to find out where Jane works. Jane was a bit surprised at first that I figured this out. I also found her MySpace account, her FaceBook account, her Twitter account (she doesn’t tweet much) and several other sites she was signed up on and has posted information on. I know who her father is, how old he is, that he served in the Military and when and where he went to college. I know the name of one of Jane’s sisters. I don’t know if she has more than one sister, but I know her sister’s career and what city she lives in. I also know where Jane went to high school, the exact address where she works, where she went to college and what she was interested in. From other web sites I found a number of her hobbies and even an approximate address where she once lived. In a follow up conversation Jane informed me that she no longer lives there and even challenged me to find her new address. Frankly, I’m not motivated enough to try to do that, but I bet I could.

Based upon the friends that Jane, her sister, and her father list on MySpace and FaceBook, and where they live, I can make a pretty good guess as to which friends she actually knows as opposed to those who sent messages requesting to be an online friend.

I also know of a rather traumatic injury Jane suffered, as well as some family holiday traditions, her political leanings and the leanings of some members of her family, such as one of her grandfathers.

With all of this information it would be very easy for someone to pull off a highly successful social engineering attack. Such an attack could be directed against Jane herself, or could quite possible convince a friend of hers that I know her and allow me to gain even more information

When people know a lot about us we tend to believe them when they say we’ve met, even if we don’t remember them. It becomes much easier to gain trust when another person appears to share mutual interests as well. Like me, Jane (and her sister) has a passion for music.

If you are going to put your life on the web, keep in mind that someone who seems to know a lot about you may not know you at all. To some extent you can protect yourself against people trying to gain your trust for malevolent reasons, but that doesn’t mean that they can’t trick your friends into giving you even more information. If I was a rejected ex and Jane had changed her contact information so that I would not find her, I would have a bunch of people I could attempt to trick into providing me with the information I might wish to know.

Recently FaceBook suggested that all users update their profiles for excessive lack of privacy. If you took their suggestions, you might want to consider going back and adjusting your privacy settings so that only people you have chosen to be friends can share your life’s unfolding story. It’s a good idea to choose your friends carefully.

In the new world of social networking, it would be a great idea for sites like FaceBook and MySpace to have a tiered “Friend Approach”. Something like “Acquaintances” and “Friends”. Acquaintances would be the people who you don’t really know at all, and “Friends” would be the people you have reason to trust. This would be complimented with granular privacy settings so that you could selectively share different types of information with people who have different levels of trust.

I had an interesting email exchange with Jane about the subject and she really is quite comfortable, overall, with the information she put out there. That said, she decided that her email display name would only contain her initials, rather than her full name. This allows her to choose who gets to Google her. A reasonable action.

If you understand the risks and weigh the benefits of your actions, you can make an informed security choice. You can manage your risk as you see fit, but if you do not understand the risks you cannot make an informed decision.

In closing… I’d like to say Jane, I admire your civic contributions. Jane is a huge supporter of a wonderful non-profit organization and a champion of kids!

Randy Abrams
Director of Technical Education