Profiling via Social Sites

I know they probably weren't the first, but Firefox is probably the most popular browser to support "Live Bookmarks" - an RSS feed as a bookmark. And coupled with bookmarking sites (social and otherwise), you've got a portable bookmark list. I don't have to keep a thumbdrive with my bookmarks anymore, I just point my browser to a feed and I'm set.

In the past, I didn't use bookmarks at all. It was easier (generally) to remember the right search terms or URL's. And in order to use my bookmarks on multiple machines, I had to copy them around. Before Live Bookmarks, using a bookmark site wasn't all that advantageous, because to get to all my sites, I still had to make two visits - first to the bookmark site, then to the site I really wanted to go to.

But now, things like Google Bookmarks, ma.gnolia, and del.icio.us allow you to bookmark, then get an RSS feed of those bookmarks, and coupled with a Live Bookmarks type feature, you're always up-to-date.

The downside of this is that if you make your links public (I'm assuming del.icio.us is still most popular - in which case, you have to deliberately make them private), that people can begin to profile you. How is this dangerous?

  • A little searching on del.icio.us will show you people who bookmark login pages you're interested in
  • You get the user names of those people
  • You can see what other login pages they've got bookmarked
  • Any of those an email site? You might be able to guess that they use the same login on their email as on the social bookmarking site
  • Spearphishing accomplished. Low return rate (you won't get many combinations of a known creditor/email provider), high hit rate (of those you find with the same combination, a pretty high volume of those will be hits).
With blogging sites, it doesn't take too many posts to figure out what services people are "married to" Those who are on Blogger have a pretty high likelihood of using other Google services. People who blog on Yahoo might get email and bookmarks from Yahoo. If you can determine the geographic region for a person (watch the timestamps on their blog postings or when their emails hit mailing lists), you can limit other things like their financial institution.

All this being said, you can bet the bad guys are working on ways of using API's or botnets to warehouse as much of this data as possible. (Manual searching on del.iciou.us takes a long time, but it can be automated and distributed for warehousing and later analysis).

So how do you protect yourself?
  • If your blog is your "diary", make it private and limit to whom it's shared.
  • If you feel you must have a bookmark to your really sensitive stuff online, make it private, or use a private bookmarking site.
  • Don't know your own passwords. Use a password safe like keepass (or keepassx for *nix or mac), or Keychain on Macosx that will generate a really hard password and associate it to a URL.
  • Don't use the same login name for all your services.
  • Come up with a good handle that's not related to your real name, don't include your birth year in it, and make sure your email alias on big email services isn't the same.
From a hacking standpoint, this is prolly the lamest academic post I've done. But to be honest, as I started trying to do some of this engineering myself, I just felt "dirty" (see Jeremiah Grossman's October 2006 survey question on testing for XSS on public sites). So I didn't spend a great deal of time digging.