So earlier this year, I wrote a piece about how we as humans are so quick to give away personal information to various companies in the quest for discounts or free stuff. As I gave it further thought, I realized that sometimes we give away our personal information in search of something even more abstract: likes.
We post pictures of our food, our cars, the hotels we stay at, scenery as we take vacations… I was listening to a comedy bit by Norm MacDonald talking about how we used cameras with actual film to take pictures “in the olden days.” We used to take film to a photomat and wait a week or more for the photos to come back and then show them to our friends. Now we can take photos and share them instantly on Facebook, Instagram, Snapchat or whatever your platform of choice is so that we can collect our likes.
But what’s wrong with that, Mr. Orr? Why are you barking at the moon today? Well, dear reader, the answer is this: social engineers can leverage even the tiniest bit of information against you.
We have all heard the stories of people who got robbed because crooks knew they were out of town on a vacation from the pictures they were sharing. Even if you don’t share those pictures in real-time, turn off geo-tagging or set your privacy just so, you still leave enough of a trail from which a black hat can derive a tremendous amount of data and then leverage it against you.
If it seems like I won’t shut up about DEF CON this year, it’s because it seems like security has been trapped in an echo chamber for so long. We are great at talking to each other about security and complaining about how the muggles are so stupid for letting themselves get conned, scammed, hacked, etc. Indeed, DEF CON is a great example of us all getting together and patting ourselves on the back for how smart we are. That being said, I would like to see us get out of the echo chamber and start educating people about the risks they take when they post pictures of their car or the perfect blouse they found on Amazon on social media.
In this article on CNN, for example, a reporter asked one of the top social engineers at DEF CON to “hack” him and he found the results quite alarming. The hacker was able to get his home address and phone number on the basis of two photos posted on his Instagram account. Didn’t even have to do anything particularly “hackerish” like dig into the geo-tags. (My buddy Ken Westin did a talk on this several years ago at DEF CON; you can see it here.) In this case, the hacker simply called the furniture store that the reporter tagged on Instagram in the picture of the piece he bought and simply pretended to be his wife. I would imagine it took all of five minutes to do or less. She didn’t have to hack any databases or break into any data centers, things which would have set off any number of alarm bells.
Maybe the whole thing is a Pandora Box. The cat is out of the bag, the horse is out of the barn…. For years now, we have all posted on Facebook, Instagram, whatever without a thought about security. Our information is OUT there. Short of attempting to delete yourself from the internet (which is technically possible but largely impractical), your pictures and posts are forever. Like I tell my kids, don’t post anything that you wouldn’t want to tell your grandmother out loud in church. Tweets are forever; even if you delete them, some interested party will probably dig it up or have a screengrab. Just ask Kevin Hart or any number of people who lost jobs over old tweets or photos.
Go ahead and harvest your likes, but just know that the information you put out there makes it even easier for the bad guy to get your personal data. They don’t even have to know how to do a SQL injection to do it.