Using 25 random things against you

Filed under Social Networks
Tagged as ,

I have been seeing a bunch of friends on social networks filling out these “25 Random Things About Me” surveys. I just saw another one going around called “44 Odd Things About You” as well. I remember this similar type of activity passed along in email several years ago but now it’s made its way to social networks such as Facebook and MySpace. Here is what the request looks like once you have been “tagged” by one of your friends:

RULES: Once you’ve been tagged, you are supposed to write a note with 25 random things, facts, habits, or goals about you. At the end, choose 25 people to be tagged. You have to tag the person who tagged you. If I tagged you, it’s because I want to know more about you.

This sounds fun and a good way to network with your friends, however, let me tell you why putting in this information might be a bad idea.

What’s the big deal? This is fun…right?
One of the basic rules everyone should be following when using social networks is that you should consider everything you post as public information. For example, would you write down these 25 random things about you, stick your name on it, make copies and put them in the mailboxes of complete strangers in your neighborhood? Are all of the people you are friends with truly your friends? Will they always be your friends? How is your profile configured? Have you looked at your “Notes” application settings in Facebook? More importantly, do you allow your profile to be searched by search engines? If you posted these 25 random things to your profile and/or wall, you may have inadvertently allowed these things to be found by total strangers. Remember, personal information on social networks always seems to get out even if you do use the correct privacy settings…sometimes through no fault of your own.

Can I haz your password plz?
With these 25 random things about you someone may even be able to use your answers to gain access to your email, other social networks, bank accounts, etc…why? Check out this list of questions that are asked when requesting a “lost password” or “password reset”. Many of these are from online banking and other sensitive web sites and looks similar to…25 random things about you.

Think this doesn’t happen? This type of attack did happen to Vice Presidential candidate Sarah Palin last year. A hacker was able to reset her Yahoo email account password using information he found on her publicly accessible Wikipedia page. Here is a quote from the Sarah Palin hacker:

“…after the password recovery was re enabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was where did you meet your spouse? did some research, and apparently she had eloped with mister palin after college, if you look on some of the screenshots that I took…so graciously put on photobucket you will see the google search for palin eloped or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on Wasilla high I promptly changed the password to popcorn and took a cold shower”

This could happen to anyone! So by knowing some of your 25 random things, someone may be able to reset your passwords, impersonate you or even cyberstalk you. My advise? Don’t fill these things out or leave these surveys very general and not too detailed. Email might even be a safer place for this type of information…. Stop and think before you post overly detailed information about your life on social networks..it can all potentially be used against you.

6 Comments

  1. catfood says:

    Hey Tom…

    I was talking about LiveJournal with a friend today, who shrugged off those concerns by saying "Hey, everything like that I just put on friends-lock."

    How effective is friends-lock on LJ? Obviously it won’t protect you from an insider attack from LJ itself, but is it reasonably secure from outside intruders?

  2. Meagan says:

    whoohoo! I’m not lazy, I’m secure! Been tagged twice, gunna post a link to this in response.

  3. Tyler says:

    Great post. I agree with you that _if_ you fill out one of these things, you need to be generic. But, I’m gonna have to say few will follow this advice. Why?

    Its a social network. People like to fill out these things and be "part of the group".

    I’m almost tempted on creating one and asking "What is the most common password you use?" and see what people put down.

  4. Tom says:

    @catfood From what I know of the friends-lock feature in LiveJournal is that it is just like the feature in Facebook to limit things to your Friends or Friends of Friends. The Notes application in Facebook is really the "blogging" feature so you can make that "Friends only" as I suggest.

    Sure, it’s way better to limit this type of info to friends but what happens if one of your friends makes a copy of this information outside of the social network or…your friends social network account gets compromised? Also, like any socnet LiveJournal has had problems with web app vulnerabilities in the past which could inadvertently disclose private information. I wouldn’t be surprised to see another big web app vuln disclosed on one of these sites in the near future….actually there was one just yesterday where you can find photos on Facebook that are set to private/friends only. More on this here: http://www.lightbluetouchpa

  5. Tom says:

    @Tyler Hmmm…someone you know might be doing a experiment like that already…stay tuned! 🙂

  6. Greg says:

    Great post Tom.

    So basically chain letters have hit the online social networking sites. Ha.

    Funny how everything that happens in the physical world happens on the Internet too. That’s what I always tell non-techies when talking about privacy and security topics.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*