Category Archives: Social Engineering

It’s not my birthday

Flickr image by andrewmalone used under Creative Commons

I arrived in the office this morning to find a slew of birthday greetings awaiting me, both on Skype and even in direct message form on Twitter, where I was told that my birthday was appearing in someone’s calendar and they had no idea why. For a second I was confused, until my other half told me of her moment of abject fear that she had forgotten my birthday when she logged into Skype, the the proverbial penny dropped.

Like the queen, I have two birthdays each year, my real one and my Skype birthday and there is a good reason for this. Skype decided long ago that certain parts of your Skype profile information should be publicly available and Microsoft have continued this tradition. The privacy settings of these data items are non-configurable, this data comprises your first and last names, gender, detailed location and date of birth which taken together easily constitute “Personally Identifiable Information” under whichever jurisdiction you care to mention.

Whilst is is not compulsory to enter your date of birth on Skype in order to operate an account you are certainly encouraged to do so, whether that be by the “Profile completeness” tips (you get and extra 10% for your birthday!) or the bald invitation to “Add your birthday”. However it is not made clear when you add this data that it will only ever have a privacy setting of “Public”. Once you discover this, no doubt you will want to remove your date of birth, but the interface seems designed to fool you into thinking that this is nether possible nor wise

Skype Date of Birth

“It’s a Security Thing”… It sure is!

Nonetheless it is entirely possible, and advisable to reset this information to read simply “Day”, “Month” & “Year” and to remove your birthdate from the public domain. Either that or elect to have a second alternate birthday, just like I did. I haven’t got any presents yet, but the attention on this Monday morning is lovely.

Of course your friends and people you trust need to know your birthday, otherwise how are you ever going to get the full set of Iron Maiden reissues as birthday presents (true story) but unfortunately information such as date of birth is still all too often used as important security information or qualifying information to apply for identity documents and should not be broadcast so widely. In the words of the New York State Police

“All an identity thief needs is any combination of your Social Security number, birth date, address, and phone number.”

We can argue the pure logic of their claim (“any combination?” surely not) but the fact remains any information given freely, particularly in context increases your risk of identity theft or fraud. If you think that enterprising online criminals are not really interested in this stuff, think again, as much as five years ago they were already referring to Facebook as a “Free DOB Lookup Service”, of course that got resolved but we all know that scammers actively solicit contacts on Skype already and accepting the connection request is all it takes to give away your personal information.

Criminal forum post from 2009

Criminal forum post from 2009

We live in an age where everything is increasingly connected to everything else; accounts, applications, APIs, credentials devices and personal details and more. The less you broadcast, the more you can begin the long process of reclaiming ownership over your own identity. A process which for most of us, is long overdue.

Ubisoft compromised, breach notification… Fail

At 19:44 CET I got my breach notification mail from Ubisoft. It seems that perhaps the consequences of the attack are still being felt at Ubisoft because currently their main web site is still down. In their words

“We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

As a result, we are recommending that you change the password for your account: <account-name>”

Further details from the Ubisoft blog state that the attacker used stolen credentials to gain this level of unauthorised access.
Continue reading

How to secure your Facebook profile

Dusty Keyhole by kellinahandbasket

Want to make sure that you safeguard your privacy on Facebook? Of course you do…

Time passes and Facebook changes, this is a law as immutable as gravity. I have updated my Facebook privacy guide from the 2011 edition to give you a step-by-step walkthrough of every important configuration screen and an explanation of how each important function really works.

11 pages of goodness, download it, read it, cherish it, call it George.

Download here: Making the most of Facebook Privacy 2013