Posted by: David Schneier
CISO, compliance, Facebook, GLBA, information security, ISO, LinkedIn, NCUA, PII, regulatory, Regulatory Compliance, Security, social network
A few months back, the big blinking light in the middle of the information security radar was a story about how someone had harvested all sorts of personal information from Facebook accounts and made the resulting files available for download. The file (actually it was a series of files) offered varying degrees of details on nearly 100 million user accounts and it rocked the security industry for what turned out to be about five minutes. I downloaded the information out of curiosity and spent an hour or so sifting through the massive collection and came away with a sense that the story was more interesting in the abstract and that once you started really examining the risks introduced by the breach, you came away with a sense that it was much adieu about nothing.
I’ve posted before about such things: about how you need to exercise good judgment when online and when sharing potentially sensitive information (avoid those Facebook “about me” quizzes always). While something like the Facebook breach might make it a little easier for the bad guys, the truth is the sheer volume likely rendered the information useless. I couldn’t find a Social Security number, bank account number or anything else remotely resembling a true digital prize. And I looked, believe me, I looked. I should qualify what that means; I have a well-earned reputation for being able to develop fairly extensive dossiers on people by using a variety of techniques, all based upon readily accessible online resources. It’s sort of a hobby interest of mine and I find new and better ways all the time to improve my techniques. But other than using the Facebook skimmed data for marketing activities, I wouldn’t think it to be too big of a deal.
However, if you’re looking for a really neat way to access social network sites in such a way that you get to work smarter, not harder, when up to no good there are far more effective methods available. My newest favorite threat to all of our privacy and sensitive information is a recent add-on to Outlook that allows me to instantly access Facebook and LinkedIn information directly connected to an email account. The way it works is that you send me an email, the Outlook add-on then scans Facebook and LinkedIn for activity linked to that email account and displays it all nice and neat in a sub-window below the message. I installed the add-on on Wednesday out of curiosity, expecting little if anything useful. The first email I receive after the fact was from an associate in the banking industry. This person must use a business email for Facebook and LinkedIn because the aforementioned sub-window filled quickly with nearly a dozen different bits of information between Facebook and LinkedIn. I can view family photos, a scheduled event detailing an upcoming vacation and several LinkedIn updates including new connections. That by itself is scary enough but what makes it worse for me is that I’m not connected to this person on either site. I was able to see all of this information without even wanting to. In one neat little bundle, I have the person’s email address, access to personal information, a clear indication of when they plan to be away from the office, and a simple way to track the individual’s whereabouts. Oddly enough, if I searched either site directly I couldn’t see much of the same information, but the Microsoft utility apparently removes such obstacles and gets me to where I want to be.
What would you rather have: A monstrous database with relatively benign Facebook user information or an email containing all forms of PII combined with the person’s title and position at a bank or credit union? I know who they are and if they are likely to have broad access capabilities within their institution — information allowing me to reset passwords and close to no possible way to trace this all back to me.
As if though this isn’t enough to cause all you security-minded folks to lose sleep, there’s one more new wrinkle to worry about. Facebook now has its new “Places” functionality working, in which mobile users can indicate where they are at a given point in time. It reminded me of the Trip-it utility that people started using on LinkedIn last year. Essentially, both tools allow you to provide specific information to everyone you’re connected to and many of the people they’re connected to, letting them know when you’re out of the office or away from home. Think about it: You go to the beach for the day and update your location on Facebook. You’re thinking that it’s no big deal if your friends and family know where you are and you may be right. But on the day I tried it out, I tagged a family member who was with me. He has nearly 600 Facebook friends, of which he knows less than a third. So 400 relative strangers knew that not only was he away from home but so was his family. Any one of those connections instantly knew there was a reasonable chance that if they broke into our house they could get in and out with little chance of detection. For a society where people have their mail collected daily and their newspaper service suspended when away on vacations to avoid the appearance that the house is empty, this is a stunning turn of events. And you can’t stop the kids from using the newest and latest capabilities, so now we have potentially tens of millions of people advertising when they’re away from home and for how long.
It’s amazing, really, how we react to a threat framed for us by the media but almost completely miss out on another that’s way more likely to hurt us. The first thing I would do as a CISO would be to have a script written that checked every corporate email account against all popular social network sites to see if anyone is showing up. The second thing I would do (and already advise clients to do) is to update all of my related policies and training curriculum to address mixing business with pleasure: Never use your corporate email, never advertise travel plans, and never disclose anything even remotely resembling sensitive data on any of the social networking sites. And I would incorporate activities that check to see if these new policies are being followed. Remember, the right way to manage this new evolutionary twist in technology isn’t to prevent it but rather to manage it appropriately.
Oh and just in case anyone needs to be reminded of the fundamental rule of security, make sure out-of-office replies are restricted to internal communications only. I can’t believe how many of them I still receive, and with this new Outlook capability it’s just a recipe for disaster.