Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Oversharing information can lead to disaster online

Steve Ragan | Oct. 25, 2013
Many of us trade personal convenience for security when it comes to using technology. Steve Ragan outlines how social engineers use key information to exploit victims with phishing campaigns and through other attack vectors

Names and email addresses alone however do not amount to much in a targeted phishing attack, or one that singles out an entire company or business unit. Attackers will combine that information with details on social media, personal blogs, as well as other sources in order to get the person they eventually address their message to do something -- such as clicking a link or opening an attachment.

As mentioned, in Dan Tynan's article, he offered information that raises his already high risk profile (he is a member of the media, and we're targeted quite frequently), by divulging the type of information that seems harmless in passing, but is worth quite a bit to criminals. In addition, he also admits to trading personal security for convenience, a common tradeoff when it comes to the Web.

From the ITworld article:

"Had I lost my day to day files (which I store on Dropbox), I would likely have been unable to complete assignments..."

"I scan all my paychecks and store them (on SkyDrive, not Box.com - fortunately). Our tax form PDFs are all on some cloud storage service, either SkyDrive or Dropbox, as are all our receipts..."

"We scan all our doctors bills and insurance insurance (sic) statements and store them in the cloud..."

Tynan's article ended by reminding the reader that their cloud data isn't as safe as they think, which is especially true when you tell the world what you're using the cloud for.

"This information gives the attacker more material to craft a better phish. When a target user reads an email there is a tipping point where the user decides to trust or not trust the email. The more the target is made to feel the e-mail is legitimate, the more likely the target will become the victim," Trevor Hawthorn, the CTO of ThreatSim, told CSO after reading Tynan's article.

"By contrast, users who are conditioned to be vigilant and skeptical are much tougher to crack. ThreatSim calls these people Smart Skeptics as they use email, social networking and more, but are smart about the impact of their actions as they consume email and information from the Internet."

Tynan isn't alone, plenty of people share information that they feel is useless in the hands of a criminal, or holds no value. This is why social engineering is so powerful in the wrong hands. In this example Tynan is singled out because his is a perfect example of oversharing information, and why OpSec is important when it comes to how you manage your presence online.

When it comes to protecting OpSec and limiting the amount of information available about you overshare online, awareness is the key. The first thing to remember is that once you post it to the Web, it's there forever, even if you "delete" it.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.