The Dating Game: Dating Sites, Penetration Testing, Corporate Espionage and Psychopaths. A love story.
Raj Goel, CISSP
CTO Brainlink International, Inc.
Raj’s LinkedIn profile
This article appeared in InfoSecurity Magazine January/February Issue
Only two things in life are certain: death. And dating sites.
Whether it’s match.com, eHarmony.com, okcupid.com, jdate.com for Jewish singles or shaadi.com for Indian families (or the hundreds of Chinese, Russian, and other regional and language specific sites) that promise love and marriage – in almost every culture around the world, dating and marriage sites have become an integral part of society.
And if you are not looking for long-term relationships, then sites like AshleyMadison.com or apps like Tinder or Snapchat promise to fill the void in your life.
What these sites and apps also deliver, is a wide range of privacy and security threats.
The real problem with most dating sites is the amount of information people put up about themselves which never goes away. Initially, you create a profile, and then either end up in a relationship, or most commonly, you end up abandoning the site, app or profile.
Most people do not delete their profiles after they’re done the site or an app. And in many cases, the site/app operators make it impossible to delete your profile.
So if you’re putting info in online profiles, it’s never going away, and in many cases, people interviewing for jobs…you see one thing on their Facebook or linked in profile, and you see something else in their dating profile – and the two don’t match. We’ve seen headhunters declining people for interviews; we’ve seen people getting passed for jobs based on dating site profiles.
Match.com likes to tell you in their commercials that 1 in 5 marriages and relationships begin online. What they don’t tell you are in the US, 1 in 5 divorces begins online[i]. That is based on data out of the American society of matrimonial attorneys. In the UK, 1 out of every 3 divorces cites Facebook or social media as the cause for divorce.
As we saw a few years ago, we learned more about Julian Assange (Wiki leaks) from his OKCupid profile than the rest of the web combined.
More and more matrimonial attorneys are now requiring that their clients given them their Facebook, twitter, Gmail account credentials as part of the divorce process, because they want to make sure that the client doesn’t put something online that may come back and bite them when they go in front of the judge.
People who use apps like snapchat or Tinder aren’t any safer.
- In January 2014, 4.6 million snapshot users have their data dumped on the Internet. The data included usernames and partial phone numbers.[ii]
- In October 2014, a third-party app called snapsaved is reached and nude or semi nude photos of many snapshot users were leaked.[iii]
- A tinder breach (that lasted approximately 2 weeks) leaked full name, date of birth and location.[iv]
So how does all this pose a security threats to the enterprise?
Consider a corporate executive. Either she curates her linkedin profile, or has someone in marketing manage it for her. The corporate website, has her sanitized bio.
Through LinkedIn or the corporate website, we know where she works – that’s public data.
Who is managing her Facebook, snapshot, tinder or AshleyMadison.com profiles?
Most of these sites/apps expose her current physical location, marital status, sexual or dating preferences, things she likes to do for fun, and the type of person she likes to do it with.
That’s a lot sensitive, private, valuable data that easily available to penetration tester, social engineer, criminal, stalker, opposing counsel.
Valentine’s Day is approaching soon and many of your colleagues (perhaps, even you) will sign up for these or other dating sites/apps. I strongly recommend that you educate yourself and your users about the long-term dangers of these sites.
A few tips:
- Ask them to keep track of which sites, apps they use. In a few weeks, remind them to delete accounts/profiles where possible.
- Keep an eye on your web traffic for new or interesting dating websites and apps.
- Remind your users to avoid installing unapproved/unauthorized apps on their corporate phones and tablets.
- (With approval from management and legal), uses data from social media and dating sites as a security case study in your security awareness training.
- For parents of teens and tweens, have a conversation with about reputational and legal dangers of sexting and snapchatting.
In 2008, 13-year-old Megan Meier[v] committed suicide after her neighbor Lori Drew posed as an “attractive male teenager” named Josh Evans. “Josh” developed an online relationship with Megan, and then turned on her. On the day of her death, he sent her a message saying the world would be better off without her.
I’m not suggesting that everyone uses social media or dating sites is going to fall prey scams, or commit suicide.
I am suggesting however, that honeytraps[vi] (use of attractive male or female spies to trap the victim) has left from the pages of Ian Fleming novels and become reality. Penetration testers and criminals routinely create LinkedIn profiles of attractive female recruiters to conduct reconnaissance on their targets[vii]. Around Valentine’s Day, pen testers, corporate espionage actors, foreign intelligence officers, and plain old joy riders will create numerous attractive dating profiles to entrap your colleagues, and compromise security.
Consider this a friendly reminder that the Internet has democratized crime, lower the costs for conducting espionage and data theft in the security much, much more challenging.
As Dan Geer said “in the world of network computers every sociopath is your neighbor”.