Given recent high-profile data losses such as the HMRC and HSBC incidents in the UK, personal data loss has received a great deal of attention recently. How ironic then that most of us have data out there for all to find on social networking sites, forums and job sites.
Ofcom's report on social networking, published last month, states that users "may be aware of the risks, but this awareness ... is not always translated into action". Reasons cited for user inertia include a lack of awareness of security issues; the assumption that the social networking site had taken care of any privacy and safety issues; and the fact that privacy and safety information was difficult to find and to use.
The report was followed by a lengthy tome of guidance from the Home Office. Much of the advice is welcome, but the report failed to make recommendations for dealing with forged friend requests, a likely growth area for identity theft. It's relatively easy for an attacker to view your contacts and hijack the identity of one of them to find out more information about you. One of the most positive aspects of social networking is the ability to make contact with old friends, so how is one supposed to authenticate them as genuine?
So just how vulnerable is your profile to attack? The following exercises will help you find out.
Enter your corporate email domain name into Google Groups, for example '@companyname.com'. (You'll need to click 'more' on the search page to find the Groups search function).
How many hits did you get? Now try your full work email address. Has anyone in the business made postings using their work email address? This is not a good idea, as it facilitates targeted email-borne attacks.
Did you ever set up a profile on Friends Reunited? Everyone forgets these, now we're in the age of Facebook and MySpace. Search for yourself using the basic search on the homepage. How many hits were there? The more the merrier, as it will make it harder to find you. You might want to strip out unnecessary info from your profile. Keep it to the bare minimum of the school you attended.
Try Googling yourself. See if you can find out anything about yourself searching only for your name. Has Google indexed content that would be useful? Would someone be able to find out the name of the town where you live?
Try an online directory search such as 192.com. Search by your name and, if you found it, the town where you live. Did it come back with your address, others living in your house and your phone number? This is scary stuff.
Do an upgraded search of an online register of births, deaths and marriages: 192.com and many others have interfaces to the register. See how long it takes to find your mother's maiden name. By this stage, without even touching a social networking site, you've probably got hold of the majority of your identity.
Search for yourself on Facebook, assuming you have an account. Can you access your profile without becoming a "friend"? If not, can you see your list of friends? Ask yourself how useful that information could be.
Secure your Facebook account! You log in over HTTPS, but once you have done so the session drops to HTTP for performance reasons. Facebook users often access their account at least every other day, making it a common URL on open networks such as WiFi hotspots. It would be relatively easy to sniff a session and browse someone's account at leisure given that Facebook sessions do not expire, even after a period of inactivity.
- Ken Munro is managing director of SecureTest. He can be contacted at firstname.lastname@example.org.
How exposed are you?
By Ken Munro on May 22, 2008 3:26PM