In the five or so minutes it takes you to read this, 2.2 million tweets, 1.4 million Facebook statuses, and 2.6 million Snapchats will be sent across the internet. When reviewing one’s personal cyber security, most will naturally look at their passwords, install an anti-virus package, or possibly stick a post-it over their webcam. What I wish to convince you of here though, is that you should take another look at your social media presence too.
But All My Accounts Are Private…
Like myself, maybe your gut reaction to this blog is that all your accounts are private, and only your friends can see your posts. Or maybe you would never post anything personally identifiable on your account, so it doesn’t need to be private. Can you say the same for all of your friends? What many don’t realise about social media accounts is just how connected they are to the rest of the platform. You may have heard of the ‘6 degrees of separation’, that you can mathematically connect yourself to anyone in the world through only 6 other people. This theory had been regarded as somewhat of an urban myth, but recent revelations from Facebook suggest it might have been a drastic overestimation. Every single user on Facebook, on average, can connect themselves to any other user by only 3/4 intermediate accounts. Given that Mark Zuckerberg has stated he aims to reach 5 billion users by 2030, one can only imagine this will continue to decrease. Your online accounts, as personal as they may seem, are deeply connected to the rest of the platform. This blog isn’t about the privacy concerns that arise from such large data sets, it’s about the posts you’re willingly to release onto the internet.
Connecting The Dots
Think back to when you first got any Social Media account, how long ago was that? How much have you changed since then? You may well be hyper-secure now, but were you 5/10 years ago? Not only have you got to take your entire Facebook account history into account, but you must also think about your Twitter account, your Snapchat account, and your LinkedIn account. A post of your new car on Facebook might seem perfectly innocuous, but what about the Tweet of you picking it up outside the very local dealership, with the road signs very much in the frame? What about your Mum’s nostalgic post of you in your home town’s school uniform from 5 years ago? What about your Dad’s post about how proud he is of your new job and your new house, where he posted a photo of you holding the keys in front of the door? Connecting a few dots and some Google Street View work would reveal your home address rather easily. Whilst maybe a coarse example, it hasn’t been uncommon to follow such a chain of events in my own OSINT investigations here at DarkInvader.
I would also like to dedicate some time ranting talking about my experiences with Strava, definitely not as an athlete though. For those unaware, Strava allows people to brag share about their exercise routes and PBs with their friends, in a handy format that lets people see their GPS data from their route. To my and hopefully your amazement, Strava’s default privacy settings are to allow any user to view your account (i.e. a public account). Many members of the U.S military clearly weren’t aware of this either as they inadvertently revealed the location of a secret military base in Afghanistan in 2017. The US military has since banned members from using Strava at all, but it does demonstrate how easy it is to slip up once. And that’s all it takes, one mistake that could potentially reveal deeply personal information on the internet, potentially forever.
Hook, Line and Sinker…
Phishing attacks can be made infinitely more convincing with a bit of digging into the target’s social media. Most people are unlikely to click on your average 419 barely English spam email, but a more targeted email including some information from your social media accounts, could make for a very tempting link to click. For example, including the phone number that you posted on your Twitter last year when you got a new phone, or an email about a deal for a local restaurant you checked into on Facebook. An email like that would be sure to trick most people, and from there you open yourself up to all the cyber security threats that come with clicking a malicious link. Additionally, high profile people are at risk of blackmail where an attacker uses the OSINT techniques touched on here. This might include physically stalking people and surveilling addresses for example. Here, the reward is much more than compromising someone like me and you. Celebrities will pay a lot to keep certain information secret or a third party might pay even more for access to such information. Whilst a dark topic, it’s something that does happen, and should hopefully provide the absolute worst case scenario to sum up my message here.
My aim here wasn’t to scare you (well maybe a little bit), but to provide an insight into what an OSINT investigator’s view of social media looks like. Pretty bleak I know, but what I will say, is that I deleted some old posts and had a word with my parents about those nostalgic posts… and maybe you should too!