2007-10-16

Flickr Security Part 1 - Your Personal Profile

As always I start with a disclaimer; total security does not exist, I merely suggest best practice when it comes to finding that happy medium between online privacy and application functionality.

I'm a photographic hobbyist which makes Flickr a really cool place for me to safely exhibit photographs anonymously or otherwise. However, with any registered service you will exhibit an online presence, here is my privacy best practices:

Personal
  • Buddy icon - Choosing an icon that does not directly resemble you is probably a good idea, you don't have to be a registered user to see this so in actual fact your icon is visible to the world. If you do choose a self-portrait then be sure it is suitably obscure and does not exhibit any distinguishing marks, scars or have a picture of your house/car/workplace, etc. All of those elements can lead to a full disclosure of your personal details. Likewise, avoid posting pictures of others. More about this later.
  • Your screen name - There is so much that you can do wrong here, it depends on your vigilence. If you decide to call yourself dublingirly1982 or dubchick25 I can safely assume you are Female, you live in Dublin or you were born there perhaps. I could also safely assume you were either 25, born in 1982 or both. All of this information could be used to profile you or even to break passwords. I once saw a screen name that identified a single residential address. Another point of caution is to avoid using screen names that you use elsewhere, cross referencing allows other people to use two or more online profiles with the same screen name to "fill in the blanks" or to use profile information from one service to break passwords or identity checks on another service.
  • Your profile
    • First and Last Name - It isn't mandatory so why put it there?
    • Your Timezone - Over a 100 million people live in my timezone so I don't see this as particularly revealing.
    • Gender - 50% of the world is Male, once again I see no harm in telling the world I'm Male.
    • Singleness - If you want a date, go to a dating website, don't advertise your singleness here. If you have a need to tell the world you are married to avoid those seeking more from their online endeavours then by all means say so ... otherwise I would recommend not the "Rather not say" option.
    • Describe Yourself ... - Be sensible, try not to put anything in here that could be used by itself or in conjunction with other information to reveal your identity.
    • Online bits
      • Your website address - Personal websites can be used for information gathering and social engineering. I would only list a website if you are a professional photographer looking to drum up business for your own personal online portfolio or otherwise.
      • Website name - Only required if you list a website address (see above).
      • AIM (AOL IM), MSN Messenger, Yahoo! IM, ICQ - Listing IM addresses not only reveals which services you use and thus allows cross referencing of information, but can also be used to determine your online status.
    • Offline bits
      • Your Occupation - No need to be too specific here, I don't think I need to explain why listing yourself as a prison security guard, model, bank clerk, etc. can lead to targetted social engineering attacks and worse.
      • Your Hometown, City you live in now, Country, 3 letter airport code - More than a million people live in my town so I dont perceive this to be a real threat. This is not personally identifiable information so is harmless. If someone came up to you on the streets of New York and said "You live in New York" I doubt you would find the level of knowledge particularly disturbing. The same is true here.
    • Things you like...
      • Interests, Favorite Books & Authors, Favorite Movies, Stars & Directors, Favorite Music & Artists - All of this information can be used to crack passwords, ever been asked to specify a secret question like "Name your favourite movie" or "What is your faourite band?". I thought so. Information like this is invaluable for people who are trying to crack passwords or circumnavigate security systems like online banking or web based email accounts. Due diligence is key here, if you have ever listed Forrest Gump as your favourite movie ... don't put it down here.
  • Your profile privacy
    • Email address - Flickr has an anonymous mail function, this should be set to "Nobody" unless of course you wish to share files with your contacts in which case set it to "Contacts".
    • Instant messaging names - if you chose to specify an IM name this should be set to "Friends and family". If you did not set this option then it shouldn't matter what the level is set to.
    • Real name - If you chose to specify you real name this should be set to "Any Flickr member" which is the highest level. In my personal opinion this should have the option "Nobody" but that option does not exist.
    • Current city - Any option would be suitabel and should pose no security threat, however, if like me you are paranoid then you may wish to set this to "Any Flickr member" which is the most secure option available.
    • Hide my profile from searches? - I don't really see this as a perceivable threat, hiding your profile from searches does not really add any real benefit if you have followed the rest of my advice.
    • Hide my EXIF data? - If you own seriously expensive camera gear you may want to consider enabling this option. The EXIF data contains the make and model of your camera and can also give an idea of what lenses you have.
Posted by at 1 comment:
Subscribe to: Posts (Atom)