PEOPLE POSTING apparently innocuous information on social networking sites could leave themselves open to identity theft, a computer security conference heard this week.
Presenting a keynote address at the RSA conference in London, People Security’s chief security strategist Hugh Thompson said that while posting on social networks has grown, “there hasn’t been a commensurate education about what information we should be sharing”.
He called this information “gateway data”, which seems harmless by itself but when combined can help an attacker build up a detailed picture about a potential target.
“Bad guys have got to be able to leverage that information at some point, and we’ve arrived at that point,” Mr Thompson said, adding that this would lead to attacks on companies as well as individuals.
Password reset prompts for websites and online services often use a person’s birthday, where they went to school or information about a relative. Now, social networks have changed the context of those nuggets of data, he said.
“When these reset schemes were created many years ago, they were a good idea; it was a reasonable way to ensure trust. Today, it is completely unreasonable.”
Mr Thompson pointed out that former Alaska governor Sarah Palin had her personal e-mail account hacked by an attacker who used gateway data on her Wikipedia entry to guess a password.
People should audit their online identities for gateway data. Mr Thompson advised: “Check any things about you that are guessable on sites like LinkedIn, Twitter, Facebook, your blog or even friends’ and families’ blogs.”
In another presentation at the conference, Brian Honan, an Irish information security consultant, explained how he was able to obtain a journalist’s birth certificate using only information that was freely available online.
A wish-list on Amazon.com revealed a potential address, while the US website Pownce.com openly displayed her date of birth.
The challenge was undertaken with the journalist’s consent but Mr Honan said it showed how a determined attacker could cause a lot of damage.
Later at the event, the software company CA revealed a survey of European organisations which showed widespread bad practice in managing the access of privileged users to IT systems.
A privileged user is someone within an organisation who has high levels of access rights to critical IT systems.
In cases where privileged users are given excessive access, or they share it with other people, they can cause significant deliberate or accidental damage, the survey found.
These user-accounts with high level privileges are also a target for hackers. Dave Hansen, general manager for CA’s security business, said many of the latest security threats involve issues of identity and access rather than traditional attacks such as computer viruses.
He added the problem could not be solved by security products alone. “There’s a big component of this that is not software, it’s security awareness.”
