Your data is precious

Following LinkedIn’s large password leak, I have seen a dangerous thought spread to friends and colleagues:
“so what if my LinkedIn password has leaked? What can they do? Look for a job for me?”

That is based on wrong assumptions about what an attacker wants and can do. And it is mistaking the low value you get from a service with the value of your data. Your data is PRECIOUS. Maybe not to you. But everything can be sold, and you’ll always find someone interested to buy it. Let’s see a few creative uses of your Linkedin account:

Analyze your data

You might think that what you share is of no use to anyone except potential recruiters, but by mixing your resume, shared links, private messages, all the data you put on the website, I could build a nice profile and sell it to advertisers. Did you put your address and phone number somewhere in your profile? Awesome! I have a lot of targeted advertisements for you!

Obtain access to your other accounts(email, Facebook, Twitter, Viadeo…)

With your email address and your password, I could probably guess the password for other services. Almost nobody has strong and different passwords for every service. Would you like to see your Facebook or Twitter account compromised? I don’t think so.

Oh, remember to use a strong password, or even two factor authenticatiob for email. A lot of password recovery systems sues emails, so if your mailbox is compromised, your accounts will be compromised.

Spam/SEO

Nothing ca be done with your account? oh, you have contacts. And maybe, a well referenced profile. I’d be able to send spam links to all your contacts with the user feed, and put them in your profile, to improve the ranking of my websites. Sure, there’s no harm to you, if you don’t care about losing credibility or annoying your contacts.

Using the contact list

Oh, yes, I could sell your contact list, that’s easy money!

While I’m at it, I could have fun with your friends and colleagues:

  • ask them for money, nude pictures, confidential information, etc.
  • tell them that your email account has been compromised, and that they must address their emails to another address controlled by me
  • obtain access to their accounts with social engineering
You may be insignificant, but that’s not necessary true of your contacts. In social networks, your network has a value, and you must protect it. It is your responsibility to make sure your friends and colleagues don’t get compromised through your account.
It reminds me of the 90s, when I often had this dialogue:
Me-You should put an antivirus and firewall on your computer.
You-Why should I? There’s nothing interesting on my computer, why would anyone want to infect it?
Me-I receive from you 10 emails a day, and all of them contain a virus.”

Gorgeous spammer wants to add you as a friend

Yesterday was introduced the new Facebook Messages interface. Huzzah! You get an @facebook.com email address, unification of IM and email, conversation history, etc. That sounds cool! And what is that new feature called “social inbox”? That’s nice, messages from your friends will be prioritized and appear directly in your inbox, and other emails will go to the “others” box. Wait, what?

This feature is meant to help you waste time connect efficiently with your network. I won’t go into the analysis of how your email contacts are not always friends, even the important and regular ones, how will Google react, or how will we send emails with no subject line. I’m sure someone will talk about that at length. Instead, let’s talk about these nice people always interested in becoming our friends, sell us cheap software enlarge our pe bank account: spammers.

In the old world of regular email (yes, old, we’re in Web 2.0, Gmail is soooo last week), we had spam filters. A lot of methods were developed to protect us: blacklistingm whitelisting, greylisting, bayesian filters, SMTP verification, CAPTCHAs, etc. They’re not all efficient, but services like Gmail are really good at catching unwanted email. Spamming is an activity with a very low conversion rate: you have to send thousands of emails just to get one gullible person to click and buy. Thankfully, emails are cheap to send. But we could improve that conversion rate. Facebook just did it.

With new Messages, your Inbox will only contain messages from your friends and their friends. All other messages will go into an Other folder where you can look at them separately.

Put you in situation. A gorgeous woman/man/dog wants to be your friend on Facebook. Will you accept her/him? Let’s say she has more or less the same tastes has you (that’s surprinsingly easy to get the list of a band’s fans, same for book, political views, etc). Not yet? Let’s say you have friends more gullible than you. The hot woman is a friend of another friend and sends you a message in these terms: “Hi! We met at <gullible friend>’s party a few months ago, I had a really good time talking to you”. You just accepted the friend request, admit it. And a few days/weeks later, she will begin sending you messages about great opportunities like ponzi schemes or nigerian scams. And YOU WILL CLICK! Because it will appear directly in your inbox. Because it comes from one of your friends, someone you more or less trust.

Facebook just gave spammers a direct access to your inbox, and offered them targeted advertising, thanks to all the groups, likes, music and book fan groups. Spammers are considered dumb, because they automate a lot. But thanks to Facebook’s social features, they will learn to customize the mails, just for you. They will pay cheap workers to talk to you through the fake accounts, they will get you, your friends and your family, and will be a part of your great friends network.

Thanks to Facebook.