Tips & Advice

In the cloud identity - can we protect it?

Michal Krejdl, 19 March 2010

In the cloud identity - can we protect it?

Last few years can be called a "social networking era". Just remember the rise ups (and depressions) of, etc. These networks are now completely shadowed by FaceBook and Twitter. Even when myspace and similar networks are not that widespread today, they were at the beginning of all. It becomes more and more usual to identify a real ego with social network profile. That's not too dangerous in its basis, but there's a big problem - people completely loose a sense for their privacy on internet. This is not an attitude against social networks, it's only a thought about dangerous habits appearing with the social networking phenomenon. The risk is not the existence of social networks, the risk is how people behave there.

A question has been asked in the title - can we protect your in the cloud identity? I must say - no, we probably can't protect you, because we would have to protect you against yourself. What we can do is to protect you against localised "3rd party" attacks such as fraudulent software trying to steal your personal data directly from your PC. We absolutely can't block you while you're typing your name, address, phone number, social security number, credit card number etc. voluntarily to any legit site. And that's it. Once you decide to join any social network, you should be very careful, because your identity (or a significant part of it) becomes public, completely dislocated from you, we can say - in the cloud.

We can see lots of attacks made by black hats everyday. These atacks are more and more based on social engineering and more and more precisely targeted. What gives black hats such wide possibilities to target you? Well, it's you and how you behave on the internet (and social networks). Older approach of blackhats was based on simple machine work - they only harvested e-mails from forums etc. and redistributed them to spambot maintainers. That was easy to implement, but less effective. A logical step was to get more complex context of spam/malware victims. And this context is served by you in a luxury wrappage. How is this done?

So, do you think it is really so difficult to match keywords from your Twitter messages (sometimes assigned to GPS coordinates) or FaceBook groups membership and construct a group of your interests? In fact, it can be done by a few scripts and is definitely worth the effort of black hats. Also, once you're a member of some popular social network, you're a good target group for receiving fake e-mails with "Password reset confirmation" (Bredolab) etc., because you're used to recieve tons of e-mail notifications. I don't wanna frighten you, in fact - social networks also have some advantages, let's discuss how to use them and how to not make black hat's life easier.

First of all - think about the value of your identity and privacy. It is useful to compare what you would tell to known people (real friends etc.) and what you would tell to a community (completely unknown people!!!) on some social network. Unfortunately, the benevolence to community is often too big due to a false feeling of anonymity. Now your identity - it is represented by your name, sometimes by your name and social security number or your name and e-mail. These specifications may be very dangerous when they fall into wrong hands, you should always remember that. I can imagine a situation when someone makes a social network for people with similar consumer profile and paying habits and your credit card number will be a criteria to find your new friends. There would be lots of people who would provide their credit card numbers to such network. And why? Just because they will be "always connected", maybe because they will virtually increase their social status, I don't know. Sometimes I think it's enough to say "it's cool" and people go there - know what I mean?

Well, the second thing is - you don't have to do everything what your friends do. If a friend tells you "wow, I've recently joined Facebook and it's amazing", don't jump to conclusions so quickly just because your friend said that. Make a balance. What you have to publish, if you wanna join the network and meet your old friends or find new ones? If you want to make the searching accurate (and use all of its features), you should provide your real name, valid adress, e-mail (with your password!!!), where you studied etc. Well, one can say "no pain, no gain", but the question is - who will have an access to these informations? FaceBook profiles are partly indexed by Google, so you can easily find people with a profile and even when you're not registered, you can see their main picture, their virtual friends and membership in groups. Registered users may get more informations from your profile (remember - friends of my friends are not friends of mine, in fact - friends of my friends are roughly equal to "everyone" in terms of group policies). A fact that you were invited to some social network by your friend should not change your perception of your privacy. This leads to a consideration as a cool feature rather than a vulnerability.

As the article becomes longer and longer (and maybe uncomfortable to read), we'll pinpoint again the key rules and make some conlusions.

- always think if you really want to let everyone know what's your name, where you live, who's your girlfriend, what you're doing every two minutes etc - should anyone have a possibility to track your life?

- never ever tell to a community (or social network provider) anything what you wouldn't tell to a black hat (your passwords etc.) - some information should remain completely private regardless the color of the imaginary hat

- always check who's your virtual friend (and who are his/her virtual friends)

- if you encounter an enormous number of spam/malware attacks, you probably did something wrong - check your privacy settings on forums, social networks etc.

- use an up-to-date antivirus (+ firewall, antispam) to protect you at least on your PC (against targeted attacks), when you already decided to put your identity in the cloud

- if you're conform with this article, then just enjoy a fun with your friends, no matter if they're real or they reside somewhere on a network ;-)