I Know What You Did Last Summer
Some people are very willing to give uppersonal information and most aren’t aware how much they are revealing.From social networking sites to personal Web pages to email, strangersnow have access to more personal information than ever before. Look atany person’s page on a social networking site and you can seeinformation ranging from first name, last name, address, email address,phone numbers, birthday, photos, employers, education, well, you getthe point.
So why would letting the world know inconsequential information suchas my dog’s name be so dangerous? Most users have passwords taken fromtheir personal lives such as educational institutions, favorite hockeyteam (Go Leafs Go), pets' names (Fluffy),or even family members’ names. Or, when a user forgets the password totheir email, the email program asks them a predetermined “secret”question, like “What is your favorite colour? What was your first pet’sname? What is the air-speed velocity of a unladen swallow?” – all ofwhich can be found on social networking sites.
In the 10 minutes I spent as a visitor to a social networking site,I found a page that listed a Floridian woman’s complete employmenthistory, complete education history, maiden name, email address, andthat she was applying to a Florida university for fine arts and waswaiting for funding. Making all this information public may help oldchildhood friends find you, but it also gives attackers more thanenough information to stage social engineering attacks. In this case,an attacker could pose as an officer from the finance department of theUniversity and email her a scholarship offer with a request for hersocial security number. Or, they could pose as the alumni committee ofher college asking her to buy tickets to the next reunion with hercredit card. Worst of all, with all the other information voluntarilyrevealed on her page, the attacker could easily steal her identity.
Social networking sites aren’t the only culprit for advertisingpersonal information. I found the personal Web site of a New York manthat listed his email, home and work addresses (with a note that says“Come visit me”), university transcripts with student number, mobileand work phone numbers, and a resume. Now, most people won’t have thatmuch revealed on their Web sites but as I’ve discovered, opportunisticne’er-do-wells only need the most minor amounts of personal informationto find out more. I went on a Web directory and realized that not onlycould I conduct reverse number and address searches, but I could alsoget a list of all the names, addresses, and phone numbers of all theneighbors in the surrounding area.
When I bought my first house, my mother told me to draw all mycurtains and use a timer for the house lights when I was traveling. “You don’t want people to know that you’re not home. They may break in and steal your Andy Lau DVD collection!”Most people would consider this common sense when it comes to theirhouse, but they let their guard down when it comes to the Internet. OnFacebook there’s a status option that lets users show their currentactivity. For example, one of my “friends” had this status on hisprofile page: “John Doe is off to LAX – ORD – YYZ”. Thisstatus line is visible to anyone with a Facebook account and if theuser posts a home address or phone number, it amounts to leaving astack of newspapers on your front door while you’re on vacation.Automatic out-of-office replies on email programs do the same thing. Aformer colleague of mine traveled a lot for his job and hisout-of-office reply always detailed his whereabouts.
“I will be in Halifax from 1 to 8 August 2007. If you need to contact me, please call my cell at (250) 555-1234.”
Attackers can connect these small bits of information to form wholeidentities. So be careful what you post online and give out. Once yourinformation is out there, it’s very difficult to erase. As I like tosay to my partner, “You said it, you can’t unsay it”.