Web 2.0 for Social Engineering

One of the most frightening things about Web 2.0 is the type and volume of information that people are willing to publish to the general public and are willing to house in one location. While looking at some web 2.0 types of sites, you can begin to aggregate a lot of information about a lot of folks. Sometimes, used in an aggregate of the whole population this can actually be useful. For example:

  • 80% of users on social bookmarking sites who link to site x also link to site y.
  • Same sort of metrics for podcast subscriptions or RSS/Atom subscriptions.
Now, when isolated to an individual user, however, the information can become somewhat damaging. Suppose as an attacker, I use a social bookmarking site to see who has bookmarks assigned for particular financial institutions. How many of them have webmail providers documented as well? And of those, how many actually use the same username on the social bookmarking site as they do on their webmail?

A few more examples:
  • People will put anything on social meeting sites. However, this is often being used as background check material during job interviews. And that's the side that might somehow be able to make some sort of an ethical justification for what they do (think of the small towns where they check teachers' trash for alcoholic beverage containers).
  • I'm no client side scripting genius, but for a popular portal site, I wrote a module in under 30 minutes which would enumerate all the other modules on the site, along with your email address, and send them to the hacker site.
  • Micro-blogging sites make your whereabouts available to the general public. If an attacker knows you well enough to know you keep it updated, they can plan when to visit your home.
  • Old-fashioned social engineering tactics such as dumpster diving are still quite effective. Coupled with internet social engineering, these attacks can be even more damaging.
  • There are lots of examples of social meeting websites where an attacker makes a false profile of a victim with lots of incriminating (generally false) information.
  • Couple all this with your spending habits on auction sites, photos of what you do on photo sharing sites, to-do lists, personal blogs, chat room transcripts, RSS/Atom subscriptions, etc., and you can really begin to profile a well-connected person.
Now, it's easy enough for attackers to steal and forge identity. But how much damage besides that could one really do to somebody they know in person? Or better yet, how much damage could one do as an educational experiment of luring a visitor on a social website to become their friend, then learn all they can about their new friend without directly asking them to give up any information?

How much information are you willing to put out there?