Avoiding Social Networking Can Backfire

If you think you're clever for avoiding social networking sites, think again, writes Maltego creator Roelof Temmingh...

To my eyes Facebook just looked like a badly organized dating club, and the idea of having to fire regular musings out into cyberspace via a blogocannon has never appealed.

Figuring I was just too lazy to sign up for these services, my dear friend offered to register me anyway and just give me the passwords. Being a Google fanboy, he could sign me up as roelof.temmingh on Gmail and connect my newly created Facebook profile to that email account.

That got my attention.

I registered the email myself, quick smart, then some time later I registered my name at Facebook, with no profile information. It was a way to cyber-squat my own online identity.

It seems like a good idea until a colleague pointed out that someone could create a profile in my name that looked more real than my blank profile. Then people would ignore my real Facebook entry and speak to "fake Roelof".

So much for the squatting plans.

So I did what I dreaded doing for a very long time and began populating my details and sending out 'friend requests'. It had the same feeling you get when joining a party where everyone is drunk, you've arrived late and don't know anyone. You know what I'm talking about.

Then the evil half of my brain got busy with hypothetical scenarios. What if I were to duplicate the process for the board members of a large company? I could even set them up with fake LinkedIn details. With a little investigation into their professional and personal life I could pull an Agent Smith and just become them! I could control who their virtual identity speaks to, who their friends are and perhaps later even start issuing press releases from their 'private' accounts. How long will it take before they realise their identities have been stolen?

I once asked the audience during a conference presentation "what's better -- to have a comprehensive profile on the Internet (e.g. be registered on social networks, have your email address known out there etc), or to have nothing about you known at all?"

Since my talk was about open source intelligence most people assumed nothing about you should be known to anyone. But I am not convinced. If nothing about you is known on the Internet it means you give attackers a clean page to work with -- they can cook up anything about you -- and there is nothing to refute their claims.

When phishers still thought that people needed to be convinced of the authenticity of websites, before they realised that people will click on any link, they would register a domain like abc-bank.com when the legitimate domain was something similar, like abcbanking.com. One solution for the banks was to proactively register all possible combinations of their trade name in a domain name.

The registrars sure smiled. It was a bit of a losing battle and the cost of maintaining and renewing all these useless domains was high. I fear that the same scenario is playing itself out in the individual online identity space at the moment.

The real problem we are facing is that we don't a real concept of identity on the Internet. With websites and infrastructure we at least have SSL, which is admittedly mostly useless. Sure, we have class 1 certificates for people, but those just verify a person's email address.

In the past when someone presented you with a hotmail address you would have treated it with a fair amount of suspicion. But those days are gone. Everyone has a Gmail account and it's perfectly normal to send 'official looking' email using these accounts. Hell -- the guys that should be securing our government networks have a public webmail address on the 'contact us' section.

The root of this problem is always the end user. Technically we can solve this problem pretty easily. We'd start an organisation to verify identities of people the same way that Certificate Authorities verifies the identity of a corporation.

We ask for blood samples, retina scans, passports, photos, finger and voice prints. After all that we give them a nice digital certificate that they can use on any online service. Try forging someone's DNA, buddy!

But how many people will use the service? Here is web site A asking for an email address and there is B asking for a certificate verified by blood sample. I think I'd go with option A.

This isn't a technology problem. It's a PICNIC problem -- problem in chair, not in computer. Any website that can convince someone that it would benefit them if they give the site their details will win, and that means online identity will stay fuzzy for the foreseeable future.

Want more exclusive security news, commentary and podcasts? Sign up for our newsletter to receive summaries and links to all Risky.Biz content once a week.