A cartoon shows a dog sitting next to a computer and telling
another dog, “On the Internet, nobody knows that you are a
dog.” We have moved beyond the days of assuming the Internet
gives us complete anonymity, to using the Internet for social
networking.
The success of social networking is a remarkable phenomenon. We
post personal profiles for jobs, business and social interactions,
and use social networking websites to catch up with school and
college friends. We also do not mind sharing personal information
and pictures with ‘friends of friends’ whom we have
never met in person. We benefit from the anonymity of the Internet
by posting a lot of real information about ourselves on social
networks.
But, what are the risks?
We post information such as complete personal profiles, contact
details, college and school information, hobbies, photos, books,
places we visit, events we enjoy, persons we admire or loathe,
personal opinions (not always discreet) etc. Our personal
information can also be accessed by prospective employers (who want
to screen us) or advertisers (who want to target us for behavioral
advertisements). The business of social networking sites depends on
providing access to anyone who is willing to pay the price. The
valuation of Facebook was rumored to be USD 2 billion in 2006 which
translated to USD 286 per user profile. Why would someone be ready
to pay that sort of money unless there was a significant business
benefit?
Privacy risks are further compounded by digital dossier
aggregation. Anyone can systematically collect and store all
information about a targeted person over a period of time from
various sites, and build a complete dossier which can be used with
malicious intent. The data from different websites could be
correlated using new technologies like face recognition and
Content-based Image Retrieval (CBIR) which can match features in
pictures and correlate them. So a picture with part of your house
in the background could be used to find your address. Part of your
face in one picture could be compared and identified with a face in
a group photograph. This category of threats is called
‘mashups’ which could lead to establishing unforeseen
correlations between data provided to independent web services,
leading to harassment, blackmail, etc.
These technologies were earlier used only in digital forensics by
law enforcement agencies but are now available in the public
domain. To further aggravate the situation, information once
provided to a site can never be permanently removed. It lingers on
in some backup copy or may have been copied and stored
elsewhere.
All Internet users face risks, but these are amplified for social
network users because of the element of trust which forms the basis
of these sites. A malicious person can exploit this trust by
sending spam mails using automated friend invitations and comment
postings. Since users can post HTML within their own profiles as
well as message boards, the sites are also vulnerable to cross-site
scripting attacks. The message postings could contribute to the
quick spread of viruses and worms. For example, one million users
of Myspace were affected in just 20 hours by the SAMY virus.
Another social network-specific attack is spear phishing which is a
highly targeted, personalized phishing attack which uses
information provided by the social network.
How do we protect ourselves?
Be very prudent while providing information. Assume that your
information will become public property. So never give away any
piece of information which you will regret afterwards. Do not
depend on assurances of privacy or anonymity. These do not exist.
Do not totally believe that what you read in profiles is correct
information. Who knows, you may be actually talking to a dog on the
Internet.
Avinash Kadam is Director, COO and Head of Delivery at MIEL
e-Security. He can be contacted at
awkadam@mielesecurity.com.