There is a certain psychology involved with the games that advertisers play with us in order to collect valuable information based on our habits. Consider social engineering, the ability for a person to gather information or favors that they normally wouldn’t provide based on the human element.
In the realm of social networks, these tricks resurface and morph with a certain regularity. Consider articles posted on social media with topics like, “You will never believe what this person did!” or “The top 5 ways you may be shortening your lifespan!” These catchy titles that lead to blogs that make money from advertisement revenue are often referred to as ‘click bait.’ These click-troughs also allow websites to map interests and browsing habits for marketing and multiple data point collection techniques.
For many in the security profession, we’ve been dealing with these issues for quite some time. Sneaky sites or freeware will install search engine bars on browsers or pollute people’s systems in order to create money generating minion computers. If we’re lucky, our family only has to deal with slow-downs and pop-up ads. If we’re unlucky, keyloggers and malware steal passwords and bank account information.
As security professionals we are forced to wonder why, or helplessly shake our heads as we help security-challenged family members piece back their security and privacy. Bank cards and account numbers can be changed and replaced, but those people never gain back the lost privacy as their personal information that has been siphoned off to a foreign database is sold to the highest bidder.
As with the tides, so too do social media fads ebb and flow. I remember telling family members that it’s not wise to fill out innocent-looking surveys and post them up on social networks. As such I’m beginning to see a resurgence in innocent game-like posts, such as “Which Frozen Character Are You?” or “How many states have you visited?” As we fully know these types of data-collecting devices are not truly sincere or innocent and exist only to collect real data from users.
The holidays are an excellent time to remind your loved-ones to be cautious about their Internet and social presence. But we also need to relay our cautions and fears in a way that doesn’t seem extremely paranoid or overhyped FUD.
Will someone break into a family’s home because they have made the comment that they finished buying presents and are off with the kids to buy a tree? It’s entirely possible but the security footprints are changing from physical attacks to historical PII collection.
Single points of data when assessed on an individual basis give very little information. It’s only when this data is aggregated and analyzed that it can cause concern for privacy. A survey here, or a pass-through to an article there can quickly turn into a recreation of a person’s history and browsing habits. Perhaps if someone elects to choose which state they were born in while browsing to a local news website, a particular tracking cookie could give us an answer to one of their banking secret questions. This information can then be stuffed into an existing database portfolio of that specific person. People are extremely good about providing information without asking why.
While people are warm with holiday cheer, they might be apt to overshare on social networks. Give them a friendly reminder that there are watchful eyes parsing their data and creating persistent dossiers. It may also be a good time to remind people that surveys and browsing history collect more than just innocent information.
About the Author: Daniel Diadiw (@secureit) is a Security Architect who has worked in a wide range of regulatory bodies including DoD, Utilities, Telecommunications, and Banking where he specializes in network security. Daniel does public outreach to help ordinary computer users understand the impacts of their privacy and how it is used within social networks. Daniel earned a Master’s Degree in Cybersecurity from Virginia College, holds several certifications including CISSP, Network +, and has been Security + certified since 2005.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image header courtesy of ShutterStock.com.