How much personal information should you share online? How much information is available about you online that you can’t control? What happens when online risk transfers to the physical world? Its exceedingly difficult to answer these questions. Situations and individual threat profiles will vary greatly. I can say with certainty that the intersection of cyber vulnerability and personal physical risk is definitely a concern.
Both criminals and terrorists have used social media and other open source information to develop targeting packages on their victims. While there may be some risk from the release of personal information via data breaches, I think the biggest threat is from social media. The trend towards over-sharing of personal information on social media makes intelligence gathering on certain targets very easy. Often times even if the target is security conscious themselves, and cautious about posting, their family members, friends and associates may not be as careful. Additionally, this information can be utilized beyond the construction of a target package on the victim. The use of social engineering to lure the target to a location where they can be victimized is also a real concern. I wrote an article about a case where kidnappers in Colombia used Facebook to facilitate kidnappings, you can find it here: Social Networks & the Threat to Personal Security.
When looking at kidnapping in particular, there are a number of ways that social media and other open source intelligence (OSINT) can be used:
- Identifying a pool of potential victims
- Doing a valuation analysis of the target
- Determine physical location of home, office, etc.
- Learning pattern of life, daily movements, frequent locations
- Identifying family members and associates
- Identifying vices that may create vulnerabilities
- Learning about hobbies and interests that might be useful for social engineering
- Using social media as a vector for social engineering
- Luring the target through honey traps or prospective business deals
Whenever we think about cyber security, we need to think beyond the potential monetary loss that can come from a data compromise, and recognize that there are real threats in the physical realm that can be facilitated by OSINT and social media.
The real takeaway: Be careful what and how much you share on social media and other online venues. You don’t need to be paranoid, and social media and the Internet in general can be valuable and important tools. You should however, recognize the vulnerabilities that exist and consider them in the context of your personal situation and tolerance for risk.