How Secure is Your Online Profile?
 By Avinash Kadam / MIEL E-SECURITY
A cartoon shows a dog sitting next to a computer and telling another dog, “On the Internet, nobody knows that you are a dog.” We have moved beyond the days of assuming the Internet gives us complete anonymity, to using the Internet for social networking.
The success of social networking is a remarkable phenomenon. We post personal profiles for jobs, business and social interactions, and use social networking websites to catch up with school and college friends. We also do not mind sharing personal information and pictures with ‘friends of friends’ whom we have never met in person. We benefit from the anonymity of the Internet by posting a lot of real information about ourselves on social networks.
But, what are the risks?
We post information such as complete personal profiles, contact details, college and school information, hobbies, photos, books, places we visit, events we enjoy, persons we admire or loathe, personal opinions (not always discreet) etc. Our personal information can also be accessed by prospective employers (who want to screen us) or advertisers (who want to target us for behavioral advertisements). The business of social networking sites depends on providing access to anyone who is willing to pay the price. The valuation of Facebook was rumored to be USD 2 billion in 2006 which translated to USD 286 per user profile. Why would someone be ready to pay that sort of money unless there was a significant business benefit?
Privacy risks are further compounded by digital dossier aggregation. Anyone can systematically collect and store all information about a targeted person over a period of time from various sites, and build a complete dossier which can be used with malicious intent. The data from different websites could be correlated using new technologies like face recognition and Content-based Image Retrieval (CBIR) which can match features in pictures and correlate them. So a picture with part of your house in the background could be used to find your address. Part of your face in one picture could be compared and identified with a face in a group photograph. This category of threats is called ‘mashups’ which could lead to establishing unforeseen correlations between data provided to independent web services, leading to harassment, blackmail, etc.
These technologies were earlier used only in digital forensics by law enforcement agencies but are now available in the public domain. To further aggravate the situation, information once provided to a site can never be permanently removed. It lingers on in some backup copy or may have been copied and stored elsewhere.
All Internet users face risks, but these are amplified for social network users because of the element of trust which forms the basis of these sites. A malicious person can exploit this trust by sending spam mails using automated friend invitations and comment postings. Since users can post HTML within their own profiles as well as message boards, the sites are also vulnerable to cross-site scripting attacks. The message postings could contribute to the quick spread of viruses and worms. For example, one million users of Myspace were affected in just 20 hours by the SAMY virus. Another social network-specific attack is spear phishing which is a highly targeted, personalized phishing attack which uses information provided by the social network.
How do we protect ourselves?
Be very prudent while providing information. Assume that your information will become public property. So never give away any piece of information which you will regret afterwards. Do not depend on assurances of privacy or anonymity. These do not exist. Do not totally believe that what you read in profiles is correct information. Who knows, you may be actually talking to a dog on the Internet.
Avinash Kadam is Director, COO and Head of Delivery at MIEL e-Security. He can be contacted at awkadam@mielesecurity.com.
|