If You Share Personal Information Publicly, You're on Hackers' Radar
Why do people point out where they work on their Facebook profiles? Can this type of information posted in this particular place ever be useful? Let's consider a peculiar but plausible scenario.
Several months ago, you had some business dealings with John from Fantastic Air Fresheners, Ltd. You desperately need to email some important documents, but you've lost his business card. You don't remember his last name meaning that it's no use trying to call the company and ask for his details. One thing you do remember is that at one point, John mentioned that he was born in Blodgett Landing, New Hampshire, one of the smallest towns in the US. This tiny detail might be very important.
You log in to Facebook, and you search for John from Blodgett Landing. Since the town is tiny, only a few results come up which makes things easier, but the profile pictures are all blurry, and you can't recognize him. Luckily, one of the Johns from Blodgett Landing has mentioned that he works for Fantastic Air Fresheners Ltd., and he's also included his last name – Smith. You have your person. After you put two and two together, it shouldn't be too hard to realize that in all likelihood, the email address you were hoping to find is firstname.lastname@example.org.
Social media is a double-edged sword
It did take some investigation, but you can finally send John those important documents. The thing is, while you're at it, a cybercriminal can use the same exact information to organize a spearphishing attack on him and trick him into installing malware or revealing his passwords. That's not the only problem.
For a variety of complicated reasons, security questions are still a part of our online lives. Even organizations that handle extremely sensitive information like banks continue to use them.
Having security questions play any role in protecting data has always been a terrible idea, but it's especially dreadful now when people use social media to willingly share tons of information about their personal lives. It's not just secret questions, either.
Infosec people often joke that because everyone uses their dog's name as their password, vets can make excellent cybercriminals. In the age of Facebook, Twitter, and Instagram, you don't need to be a vet to know what people's dogs are called. In addition to pets' names, people use dates of birth, names of loved ones, favorite sports teams, etc. as their passwords. Unfortunately, they do that without even sparing a thought for the fact that this type of information is easily collectible from their social media profiles.
What can you do about it?
After you've seen all the possible attack vectors created by social networks, it would be easy to conclude that we should all close our Facebook and Twitter accounts and stay away from this type of websites forever. For some of you, this would present no problem, but we shouldn't forget that, for all their problems, social networks are sometimes an excellent platform for communication and sharing opinions. For many, they are an essential part of modern-day life, and just throwing them away is not really an option.
However, if you, like hundreds of millions of other people, decide to continue using social networks, you might want to consider what your profiles say about you. Carefully review your privacy settings and make sure that you share the right information only with the right people. It's a good idea to go through your lists of friends and followers every now and again and remove any people you're not quite so sure about as well.
Disable security questions wherever possible, and if you're forced to use them, make sure your answers aren't truthful. Finally, and this is something that should really go without saying, make sure your passwords can't be guessed with the help of the information in your social media profiles. In fact, make sure they can't be guessed at all. The best way to do this is to use a password manager that can create and remember complex, long passwords for you. Our own Cyclonis Password Manager does just that. To learn more about it, click here.