The limits of social network privacy

Friday, March 19, 2010

Mike Himley

39d0a8908fbe6c18039ea8227f827023

The Lone Ranger was one of my favorite shows growing up. With his trusty side kick Tonto, he would always appear just in time to foil the bad guys and leave everyone wondering..."who is that masked man?"  Was it really that hard to determine his identity?

Many people today ride into Facebook, MySpace, Linkedin, and other social network sites with their masks on, expecting privacy and anonymity. But how hard is it to find them?

I was looking for an old colleague of mine who is not on any social sites so I searched Linkedin for his friends in the Washington DC area. I figured they could tell me how to find him.  While looking at the company listings in the area, I came across a guy who, figuratively speaking, had his mask on.  His name was listed as “Private” because he had clicked on some privacy setting in Linkedin.   Wearing a privacy mask in a public room tends to draw more attention to oneself so out of curiosity, I wanted to know who he was.  (Out of respect for Jon's privacy I won't disclose him.)  But it took me about 10 seconds. I will show you how easy it is.

But first, back to the Lone Ranger. We can assume the Lone Ranger lived in the area because he was always foiling bad guys within the same desert geography. One can only travel so far and so fast on horse.  So from a given population within a reasonably limited radius, we are looking for someone with the following characteristics:

1. Unique facial features-Square jaw, dark eye color, short black hair

2. Race (White)

3. Body type-Estimated height (5'10-6'), weight (185-200 lbs), and build (muscular) 

4. Social circle-Hangs around with an Indian named Tonto.  If you find and "friend" Tonto, you find LR.

5. Pets-Rides a white stallion. It's the biggest horse in the area and it leaves BIG tracks for ease of following.  It's also the only white horse living in the area. Goes by the name Silver. Find white stallion, find LR.

So who was the masked man? If they had Internet connectivity at the ranch back then, they could run this query in the Google search box:

location: los angeles county "lone ranger" "tonto" "white stallion"  

Go ahead and copy and paste that line as is into Google.  You should find his name pretty quickly.  He passed away in December 1999 at the age of 85.

To find a Linkedin private profile, you follow the same logic.  Search the area with 3 or more characteristics. 

So in practice you would search among the web population of Linkedin profiles and pick for example: Job Title, Company, Location, and Educational Institution as identifiers.  The odds are very low that two people have the same set of identical backgrounds but you might have to narrow your search by adding more identifiers if you get multiple profiles. Searching within Linkedin will likely lead you to privacy blocks.  But search from outside in, via Google, and you'll see things from a new angle.

Here's the sample query I ran and confirmed with 100% certainty the identity of the Linkedin masked man: 

Site:Linkedin.com "Company name" "Washington DC" "ABC University"

The Site command tells you where on the web to conduct your search. In this case, the Linkedin.com domain.  Put quotes around your identifiers to make your query more specific and add a few more if you need to, like previous employer.

There are over 1,000 private profiles in Linkedin.  If you have a real need or desire to remain private on a social network site then maybe you need to rethink your strategy.

8254
Phishing Privacy Webappsec->General
Post Rating I Like this!
6d117b57d55f63febe392e40a478011f
Anthony M. Freed So, assuming we joined LinkedIn and other social networks to be "more public" - how do we best manage our public identities in such a way as to maximize the benefits, but also protect ourselves from being victims of our own openness?

And how much responsibility must we take if we do become victims, or if our information is used to victimize our contacts through scams or social engineering?

At InfosecIsland.com, we ask for the very minimum of information for our member's profiles - Name, Company, Title, Email, and a Picture or Logo - and have options to display a link to your LI and Twitter accounts, and that's it.
1269199046
39d0a8908fbe6c18039ea8227f827023
Mike Himley Great questions but not easy answers. Maintaining a public profile is important if you want others to know of your expertise. Consider whether your profile or portions of your background require privacy. By portions I mean for example a specific project you worked on that requires privacy. Leave those portions off of social network sites. If your profile really does require privacy, for example you’re a DEA agent operating undercover on the Mexican border, please don’t put your profile up and click the privacy tab. Bad idea. Operate on the assumption that everything on social network sites is public information.

As for being victimized, a colleague of mine just publicly posted a scam attempting to exploit his contacts. As they say, light is a good antiseptic.


1269269842
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.