I'm scared!!!
With one subject!
Why people are not concerned about exposing their lives on the Internet? On a way that can put in danger not only themselves but their family and friends.
I'm writing below some info I collected just looking ramdomly for profiles on some social network websites.
Phones, credit card numbers, full address, if they have children, how many are they and their names, where they study, where they work, etc.
You can just find everything about everyone. They're really not concerned with someone they don't know looking their profile searching for something (possible with bad intentions).
We all read stories about people that met online "friends" and many of them ended very badly.
So, why does this happen?
It's because our society lives to deify celebrities and everybody is triyng desperately to get a space on the sun and they expect that somehow they'll get it using these tools?
Or it's just because they are not aware of the risks?
What can we (Security Professionals) do about it?
One sugestion I have is to ISC2 launch some web trainning for regular people teaching about online risks related to social network tools. It might be handy.
Another thing that must be done is to include basic security concepts as a basic school subject.
I would like to hear about initiatives related to prevent people about these risks on your countries
Best Regards
The more pressing concern is why people happily share their "secret information" that they use to retrieve passwords etc from other sites. It wasn't long ago that VP candidate Sarah Palin's Yahoo account was victim to that exact SNAFU.
From my perspective, the main problem is that, as a communication medium, the Internet is very new (barely 20 years since Al Gore invented it ;-)) and Social Networking sites are even newer.
The standard community rules that one uses when face-to-face work differently on the Internet.
In the "Real World" we generally share information carefully with various groups of people we know: Family; Spouse; Children; friends; co-workers; government; strangers; what you did on holiday/stag-night - each gets different trust levels applied to them. The majority of these groups we meet face to face, or know where they're based.
Most of us access the Internet from the privacy of our own homes/own iPhone, or at least, in an individual capacity. Unless you are involved in Pair-Programing, the chance of it becoming a communal activity are limited.
As such, when people are alone, they behave somewhat differently compared to when they are face to face with people. I have no metrics, but I'm sure this plays it's part on what people do and share on the Internet.
When we're on the Internet, the realization that potentially, the WHOLE WORLD has access to what one is writing doesn't cross anyone's mind as they sit alone at their desks.
Google indexes everything, caches everything and that leaves even less room for secrets. By aggregating search data, it is even possible to connect posts made under pseudonyms, aliases or anonymous. In search, many of your statements are taken out of their original forums and out of context, too. What may be deemed perfectly acceptable on a specific forum could be deemed completely inappropriate when found in a global search done by a prospective employer!
Few websites grant the content creators the appropriate amount of control on their data: the ability to limit viewing; the ability to stop Google's index; the ability to delete permanently... and even if there was, how many users would use it?
I'm sure that many of us have at some point in time, shared something on the Internet that we wish we hadn't, or something that if taken out of context could be embarrassing for us.
I honestly don't know the answer to this. Most people are too busy having fun on the internet to be concerned with these details of security and privacy. So though we can recommend to the users that they share data carefully, I don't how we'll convince most people to change their behaviours.
Posted by: Yousef Syed | 29 March 2010 at 06:05 PM
I avoid making assumptions like this author does as far as the motivations and 'thoughts' that other people have. Same goes for the other comment on the article.
In particular, what is troubling is security professionals such as these that try to take the opportunity to make more of a social statement rather than address a valid security issue with any sense of utility.
Posted by: Paul O'Neil | 08 April 2010 at 10:22 AM
Hi Paul,
I'm not trying to make a "social statement" but understand a social problem and find a way to address it.
What's your alternative? Close my eyes and pretend that the problem doesn't exist?
Regards
Posted by: Alexandre Cezar | 08 April 2010 at 12:25 PM
An alternative would be more in terms of your sociological and behavioral comparative to say the field of psychology that deals with many forms of pathology and address it there.
Instead of preventing, since this is not really possible, they treat the condition. So as a security professional may be you can provide services to help, assist, and educate. We all are vulnerable to a security compromise. Some more than others such as those who take more risks therefore an increased likelihood is the result but does not guarantee an event will happen.
You state "What can we (Security Professionals) do about it?" You gave some good examples. I have no problem there, but your earlier statements do little to explain or support the situation.
But sometimes as a security professional you should discriminate that not everything needs you to take an action.
Posted by: Paul O'Neil | 08 April 2010 at 12:50 PM