Oversharing on the Web
Hope the weekend was refreshing!
In this short and sweet post, let’s explore the risky behavior behind oversharing on the web and what you can control when it comes to your information. It might feel great to load up your profile to share how things are going, but are you putting yourself at risk by featuring your whole life online?
Open Source Intelligence (OSINT) gathering can be a powerful tactic deployed by malicious attackers or a friendly penetration tester to create a plan of attack on a target. The information you give out online could make you vulnerable to attack.
Consider all the information you give the various services you use during account set up. Music streaming services, social media accounts, food delivery, gaming, shopping, and education resources all require some basic information for account creation. Username, password, full name, birth date, address, credit card information, security questions, and other personal identifiable information are found commonly on these sign-up forms.
When we give this information to these services, we trust that they will protect it. What happens when they become a target for attackers and our personal information gets stuck in the crosshairs? I’m pretty sure the free birthday coupon was not a good trade for all your personal data.
Attackers use OSINT to search for hardware, software, employee status, and common behaviors that can be exploited. OSINT can be used to study a target on social media to see if any exploitable devices are featured in their recent photos. Inform an attacker of security gaps when a company is posting on a job forum seeking a professional to fill a vacant position requiring skills in a specific service. Even the employee title and role featured on an individual’s networking profile could be indicative of the access they would have at a company. If an attacker can focus their OSINT gathering correctly, they might find a way into a system, elevate their privilege, and wreak havoc. A weak spot for one user could compromise an entire system giving someone free reign to your personal data.
So, should we trust social media or other services with our information?
I would recommend providing the bare minimum for personal information to create or maintain accounts when online. Even when companies use best practices, they can still fall victim to an attack. Never fill out optional fields, add yourself to email lists, or provide your information just to ensure a form is complete. Most of these data practices have become formulaic in their collection and storage to ensure efficiency. This means data is packaged into a neat little gift for anyone that has the skill to attack a system. The last thing you want is an attacker having all the information required to make attempts on more valuable targets like a financial account.
Stay safe and remember stay conservative in what you give out online, you never know who is lurking.
Thanks for reading and see you next time!
P.F.
