RSA 2010: Researcher outlines dangers of social data

Delegates were warned of the dangers of social networking sites

Delegates were introduced to the phrase "hacking the psyche" on Thursday at the RSA 2010 conference in San Francisco.

Author and security researcher Nitesh Dhanjani used the term to describe a new phenomenon brought on by the growth in social networking services and the personal information being published online.

Dhanjani suggested that commonly posted information from social networking sites, combined with a small amount of data analysis, can be used to gather highly sensitive information about an individual.

Dhanjani highlighted the password recovery feature for online mail services as a particular area of concern. By studying data from social networking profiles, a potential attacker could gather enough information about a target to answer many of the commonly used password recovery questions.

"Even in mid-sized companies there are people that use their Gmail account to share corporate data," he said. "People are becoming so open about what they share that it is becoming really difficult to have such a password reset feature."

Enterprise networking services are not much better, according to Dhanjani. An analysis of LinkedIn connections, such as a surge in added connections between two firms prior to a merger announcement, could allow potentially sensitive corporate information to be gathered.

"I think social privacy is an oxymoron. It's like thinking you can show up to a cocktail party and then refuse to talk to people," he said. "Once you put something out there you can't take it back."