Those who know me, know you

Have you ever “ego-Googled” yourself? That is, looked yourself up onGoogle? Chances are, if you haven’t, others have. Your employerprobably did it before hiring you, so it can’t be that bad, right? Butare you really aware of all the information that is available onlineabout you?

Nowadays, of course, one of the easiest ways to data-mine somebodyis to look them up on the many social networking sites that have sprungup over the past few years. These sites are hugely popular and you findthem for nearly every user group. You can find old buddies from schoolthat you’ve lost touch with, connect with people that listen to thesame music as you, or post your CV to attract a new employer.

For sure, they can be useful. And I admit that I, too, have usedthem several times. Sometimes it can even be very amusing. For example,I once received an email from a headhunter. Besides offering me aposition, she complained she couldn’t reach me on my listed phonenumber: ++1 234 567 890. What can I say - I declined the offer.

Personally, I don’t feel comfortable with the idea of having my realphone number listed out in the open. Many people, though, don’t carethat much. You can find email addresses, post addresses, detailedhobbies, family trees, whole CVs, compromising pictures, etc. - allonline and pretty much all easily accessible.

Never mind that, already, this is a threat to security. What makesit worse is that if you forgot your password, many sites let yourestore access by answering the usual questions, what’s your mother’smaiden name, what’s your pet’s name, etc. - information that might bejust a mouse click away on your profile for an attacker. Of course, alot of the same data might be found through other means – in yourgarbage for example - but there’s much more work involved finding itthis way. Plus, that it’s easily available online makes it available toa whole world of attackers.

And now, with more and more mash-up sites appearing, it gets eveneasier to mine and consolidate such information. Mash-ups are webapplications that integrate data from more than one source, essentiallytaking data from two or more existing applications and creating a newhybrid application. So you can, for example, combine your name andaddress with a phonebook lookup and a location map service togetherwith holiday pictures of the place. It basically enables you to get avirtual view on someone’s life with just a few clicks. With many peopletending to reveal every detail of their life online, the threat ofidentity fraud becomes substantially compounded.

Another concern is social engineering. Here, the old tricks workwell in the new world. Receiving spam from a “connected” friend throughan in-system messaging service is just much more promising for theattacker than sending an unrelated email. After all, he or she must besafe since we are “linked” and, therefore, not complete strangers,right? Unfortunately attackers don’t stop there. Once in the door, soto speak, they generate convincing phishing emails out of youravailable information.

For example, you could be tempted to click on a link sent by “your buddy” on your favorite networking site if the message reads:

Hey Candid,
I know you like computers, what do you think about this one?
[link to a phishing auction site or malicious Web site]
Thanks, Mareike.

Or, what about:

Candid,
Have a look at the following open position, it really matches your skills.
I thought you might be interested.
Cheers, Sandro.

[link to infected CV.pdf.EXE]

Because information like names, email addresses and hobbies are readilyavailable and can be harvested by spider scripts automatically, suchinsider knowledge adds a lot of credibility to such messages and I’mquite sure that many users would fall for them.

Some instances that we already have seen show that you can alsoembed malicious code directly onto such sites, often using XSS and CSRFmethods or browser exploits for the attack. Anyone viewing such aninfected profile might also get infected and spread the worm further orreveal sensitive information to the attacker, as has happened onMySpace a few times already. (See, for example, the Symantec articleson the worms JS.Qspace and ACTS.Spaceflash, as well as the Flash hack and phishing attackon MySpace.) Such attacks can also get boosted by the discovery of newvulnerabilities in Web browsers. The disclosure of internal systemscripts, like what happened to facebooklast week with some leaked PHP files, can help attackers find newattack vectors as well. And, as we all know, it doesn’t take them longto exploit any window of opportunity.

This wasn’t the first time this happened to a social networking siteand it most likely won’t be the last. You should make sure that you areaware of the personal information you share online, who can see it, andwhat consequences this might have. For example, can information on yourfacebook profile easily help someone figure out your online bankingaccount? If you decide to do a virtual striptease, make sure you knowwhere to stop, otherwise you might end up quite out-of-pocket, as itwere.