Posted by: David Schneier
ATM, Facebook, hack, hacker, information security, LinkedIn, Regulatory Compliance, Security, security awareness, social network
Sometimes the best blog ideas just fall into my lap.
I was greeted by this status the other day on Facebook: “Today’s game – PLACE OF BIRTH! Everyone please play! You will find it interesting to know where your FB friends birthplaces are. Copy & paste this on your profile, then put your place of birth at the end of this sentence…. Brooklyn, NY”.
Really? I mean, really?
What’s next, have everyone post their Social Security number and date of birth to see how similar the numbers are? Or even better, I suggested to someone that everyone post their Social Security numbers under the guise of seeing if people can guess where and when it was issued (that someone actually liked the idea).
So there I was, dumbstruck and amazed and started trying to figure out how to prevent this sort personal data exposure from happening in my own home. I checked all of my PCs to see if the anti-virus software was up-to-date and functioning; it was. I checked to make sure that all critical software updates were installed; they were. I verified that each machine had a unique and strong password; they did. And after conducting this basic sanity check it occurred to me that there’s still no automated solution to prevent ignorance or – dare I say it – stupidity.
Despite technology doing it’s best to prevent malicious or unwanted activity from occurring on your machine there’s nothing short of web-filtering to prevent people from doing what people do best: act human.
When my family first became Facebook aware, I immediately instructed those who use it to avoid those lists that capture intimate details about your life (e.g. , 20 things no one would ever guess about you) and display it to all with access to your profile. My family thought I was being paranoid but I explained to them how someone can take that information and guess password challenge questions or gain the trust of those who know you by making references to some of those details. They weren’t happy with me because it all seemed to be in good fun but I assured them at some point, somewhere, it was a hacker’s mentality that came up with the idea. You have to know, I’m the guy who refuses to use non-bank ATM’s, probes the card reader to see if it’s a permanent part of the ATM and checks the area for possible spy cameras that might capture my keypad input (no joke). That same paranoia carries over to the online world we all spend so much time in these days.
It’s like the Trip-It application a number of my connections use on LinkedIn. Here’s a great idea: Let’s advertise to hundreds of people when I plan to be away from home and for how long. And while I’m at it, I’ll post some sensitive information about me on Facebook (because so many people mix their personal and professional networks) so that you could also potentially guess my alarm system access code or challenge question should the monitoring company call the house.
Really? I mean, really?
Oh and hey, check back next week because I actually spoke with Rebecca Keen (see my March 2nd post) and will have an interesting update to share.