Security Expert Warns Of Social Networking Data Threat
Gateway data is freely available online and can be used to compromise confidential information warns a Columbia University professor
Comnpanies and individuals should be aware of the threat poised by so-called “gateway data” according to security expert from Columbia University who believes that the ability to share information has dangerously outpaced understanding about basic information security.
Speaking during an RSA Conference Advisory Board roundtable event at RSA Conference Europe 2009 security, Herbert “Hugh” Thompson, chief security strategist for People Security and professor in the Computer Science department at Columbia University in New York said that criminals are launching “innovative” attacks based on the information which people share online.
“People are posting indiscrimently – they throw weird information out there. What has happened is there has been a growth in the technology for information sharing but not a comensarate education in what information we should share,” he said.
The sheer amount of biographical and other data available online exposing the confidential information of companies and individuals to attack, said Thompson.
“At some point there has got to be some fall-out from that oversharing of information. Bad guys have got to be able to leverage that information people are sharing to do harm at some point – and I now think we have gotten to that point,” he said.
Thompson defined the data which criminals can use to access confidential information such as bank accounts or a company’s intellectual propety as “gateway data”.
“You might never heard of a the term gateway data before but that’s because I totally made it up,” he said. “Basically it’s data that seems harmless but when used properly can facilitate access to highly sensitive information.”
According to Thompson, there are three categories of gateway data. The first is “direct use” which refers to data that can be transformed into sensitive information such as the biographical information used with most password reset schemes. He said that the schemes made sense when they were first invented but now the biographical information needed to crack them is avaiable via Facebook or other social networking sites.
“How many people know this kind of information about people today or can find it out? It’s pretty easy,” he said. “Even if your data hygiene is good, you might be collaterally exposed by someone else you know revealing the information through a social networking site.”
Thompson discussed an experiment he conducted with some acquantences where he was able to hack into their email accounts using details gleaned from social networking sites and old CVs. He also cited the example of US vice-president hopeful Sarah Palin who had her Yahoo email account hacked in September 2008.
The second category of gateway data is “amplification data” which Thompson describes as a form of social engineering – information that can be used against someone to engender trust. For example a criminal may tell a potential victim that the first four digits of acredit card number – which are easily guessed or obtained compared to the rest of the number which might fool them into believing that the criminal has the whole number.
The final and third category of gateway data is “collective intelligence gateway data” which is data that can be gleaned from a variety of sources which when combined can be used to reveal sensitive information. “What happens if I see the five executives of a company all within the last month have ten new recommendations on Linked-In? It probably tells you they are looking for a job and probably says something about the stability of that company or that it might be about to be acquired,” he said.