Just how much data do you volunteer in social media?

Most of us spend a great deal of time on social media in one form or another. I know that I do for a myriad of reasons. I seek entertainment, spreading humor, gather information, keep up on the daily news that I need to go fact check to make sure I am getting the truth, and even run a micro home business.

We know that we are giving up data to the social media host of course as we provide information in getting the account.

To use Facebook as a generic example (you can really use any social media platform for this discussion.) it will only take a few minutes of scrolling in your ever growing feed to find your self participating in fun interactive memes and discussions.

Have you seen the memes that ask what was the number one song the year that you were born? Well many of us are aware that one of the common security questions is “What was the first concert that you went to?” Oh, so many fall for that one every hour. Even with the wise commenting that it is a security question… sigh, so I and other that are like minded like populating the answers with smart alec responses to pollute the data that the scrapers are gathering.

For all intents and purposes scammers can either post those memes to directly get the responses or they can just pull data in from other people’s posts as long as they can read them. the data that they want? well it could be anything.

Here is where I am starting to take the discussion to help you learn something important. Something that many do not consider. We will call it a value add for your reading this far and actually caring.

Let’s suppose that instead of being a white hat (at least mostly white, or white by day and maybe some shades of gray after hours) cyber professional working for the betterment of humanities cybersecurity… I am a black hat who had relocated to a nation without an extradition treaty with the United States. Why would someone want to do that? Well with black hat cyber skills it can be lucrative and here is a possible option.

Set up a nice server room with a very comfy desk or recliner. Learn how to build databases. They are not hard to learn, they do take forethought to build them effectively to house enormous amounts of data.

At this moment it is very likely that your username and password has been compromised in some data breach in the past. (there are scam emails that rely on this data, I think I have described it in the past) There are places on the web that you can find repositories of usernames and passwords that were stolen and posted for others to use. Sometimes it is free to download and other times, it is for sale.

If I take a few of the free collections, I can add that to my database (think of it as an excel spreadsheet on steroids). Perhaps the file had email addresses and passwords. The low hanging fruit would be to try to access the accounts since so many rarely change their passwords. If I can get in, I might download all of the email and examine it for other data such as your name, location, family members pets, think of all that you have sent in emails. Each of those items get added to the database.

Remember that the initial data gathered was free. Perhaps it COULD have been sold but not for much. The price would be in cryptocurrency so that it is less trackable or at least harder to track. Do not let people make you think that it cannot be tracked, that is movie madness. Maybe you started with 1000 email addresses and passwords.

So you started with 1000 usernames and passwords, and after a few hours of login attempts, perhaps you used a testing script to complete the tests in fifteen minutes. You ended up with the passwords of 100 poor suckers who never change their password. To be very honest, I think that there will be more due to password reuse [link]. So now you have a new table with known good email accounts.

When I was doing ISP tech support, I frequently heard “It is just dumb email, if someone want to get my recipes or bad jokes form my family, they can have them.” Oh, my… what a treasure trove. A few paragraphs ago I mentioned the kind of data gathered from a live email account. So now your tables have linked the person’s name with the email address and if there are signature blocks, perhaps street address, city, state, country, phone number. If you wanted to sell that data, its value has gone up a little.

With all that email that you downloaded, you also identified family members. Those records get copied to another database, this one to use for trying to scam the users family members out of their money as they pay to get bail, medical attention, bail, or who knows what ploy they will use for their deception? Now I have two databases to sell.

Now I try to see if I can log into your social media accounts using those email addresses and passwords. Maybe I am able to get access to fifty of those one hundred? why so many? well, remember that they are already password reusers, so why expect that they will be better with their social media accounts?

Think of your social media account and how many friends that you have there. More data to feed into the master database as being connected to the victim. I do some scrolling through the feed and I see that they identified their first job (clickety click into their records) and their first car was a 79 Celica ((clickety click into their records)… oh look their profile shows that they graduated from Gullible State University in 87. You guess it, (clickety click into their records). This person’s record keeps getting more to it and each added element makes it more valuable. I find more and more family, job history, favorite sports teams. Have you recognized how many security questions may be answered with this data? I may have enough gathered data to try logging into the victim’s bank account, or even open a line of credit after all I know the answers. If I can get into the bank account, think of the transactions I can make. I could buy cryptocurrency online and trade it back and forth through a myriad of wallets or other transactions to make it difficult to track it back.

Now that I have stolen the victim’s money, I can use it to purchase more equipment, or buy more ill gotten data to add to my database, always seeking to build it for a better sale price. When you have thousands of live and accurate records with a ton of supporting information that price tag keeps going up. Remember that when selling data, you sell it over and over. There is no physical inventory to run out of.

Maybe my database was only worth 20 bucks per copy since it was small, but with a little knuckle grease (remember, just typing not actual elbow grease) I improved the data to be worth $500.00/copy.

Remember that there was the second database for scams? I can use AI voice tool to make convincing replicas of the victims loved ones if I can get a sample of their voice. Maybe I called them to a bogus survey to get that sample. Now I can call their mother, using that replicated voice to convince mom that I need bail money. Pick a scam there are thousands of variations.

Since I have all of those email addresses stored from getting into those mailboxes, I can add them to a third database to use for phishing emails. Just spray those email addresses and any other email address that I can collect from the web. Someone running a phishing campaign generally only needs a 1% win rate to stay profitable. (Please for all that you care about watch for red flags and do not fall for these emails) Does your employer have an email contact directory online? Perhaps and org chat that shows the person, their name, email, and maybe their desk phone? (clickety click into their records) yes more tables, with even more data. Those company based records got into another database. they may be handy for other types of attacks. Surveillance phases perhaps to see if I can gain access to the corporate network to obtain yet more data. If I can get into the HR systems, will I find social security numbers nicely paired with all of the other employee data? Some days it can be too easy. Maybe I can access the networked printer in HR. Most modern printers are just computers that print. They have hard drives. Is your corporate printer also a scanner, perhaps used to scan driver licenses and social security cards to process an I-9 form for the IRS? Yeah, there is a hard drive that stores that data in the scanner/copier that might be nice for me to get in to. Driver licenses…. yep, you guessed it…. (clickety click into their records) This data is getting quite valuable now.

With all of this data and being connected to family members… I wonder if I found any adult oriented associations or proclivities during my hunting. [In my profession, I once stumbled onto an employee that I did not know personally soliciting prostitutes via his email.] Now if the victim is not worried about intruders in their email box, this information could be used to blackmail them. How much would they pay to not have all these sordid details posted online? Or how much to prevent their significant other from getting a phone call? Just transfer a certain amount of crypto currency to me and I will delete your record. I wont really delete the record, but I will mark it as used. I will still sell it to others for their use as they see fit.

It isn’t just the big companies that make a killing off of you playing on social media, it is criminals world wide. This is one of the reasons that cyber professionals are well compensated. With what I understand and can do, I would be quite dangerous if I retired overseas. I am here teaching you how to protect yourself. It is where I get my reward, that and any ad clicks that happen in appreciation. Money is good, but as long as my family is housed, clothed, fed, and loved by our dogs… then I am happy.

If you came away with nothing but an understanding of how those silly meme games sneak valuable data out of you then it is a positive step. Stop and think before you reveal personal information. It does not take much to turn it into Personally Identifiable Information.

Cybersecurity Policy

What is a cybersecurity policy for?

A cybersecurity policy is crucial for small businesses due to the following reasons:

  1. Protecting Sensitive Data: Small businesses often handle sensitive customer information, such as personal and financial data. A cybersecurity policy helps establish guidelines and procedures to protect this information from unauthorized access, breaches, or theft.
  2. Preventing Data Loss: Data loss can occur due to various reasons, including hardware failure, natural disasters, or human error. A cybersecurity policy can include backup and recovery protocols to ensure critical data is regularly backed up and can be restored in case of a data loss incident.
  3. Mitigating Cyber Attacks: Small businesses are increasingly targeted by cybercriminals due to their potential vulnerabilities. A cybersecurity policy provides a framework to identify and address security risks, implement preventive measures, and respond effectively to cyber attacks, minimizing the potential impact on the business.
  4. Building Customer Trust: Demonstrating a commitment to cybersecurity through a well-defined policy helps build trust with customers. When customers perceive that their data is handled securely, they are more likely to engage in transactions and share sensitive information with the business.
  5. Compliance with Regulations: Depending on the industry and location, small businesses may be subject to various data protection and privacy regulations. A cybersecurity policy helps ensure compliance with these regulations, avoiding legal repercussions and potential fines.
  6. Employee Awareness and Training: A cybersecurity policy educates employees about their roles and responsibilities in maintaining a secure work environment. It outlines best practices, such as strong password management, email security, and safe browsing habits. Regular training and awareness programs can significantly reduce the risk of human error and inadvertent security breaches.
  7. Safeguarding Business Continuity: A cybersecurity incident can disrupt business operations, leading to financial loss and reputational damage. A well-designed policy includes disaster recovery and incident response plans to minimize downtime, recover from disruptions efficiently, and restore normal operations as quickly as possible.
  8. Vendor and Third-Party Risk Management: Small businesses often collaborate with vendors and third-party service providers, introducing additional security risks. A cybersecurity policy establishes criteria for evaluating the security posture of vendors and outlines expectations for protecting shared data, ensuring that external partners maintain adequate security measures.

Overall, a cybersecurity policy acts as a proactive measure to mitigate risks, protect sensitive information, and ensure the long-term sustainability and growth of a small business in today’s digital landscape.

SANS Security Policy Templates

For those in the cybersecurity industry, we all know the name SANS. They provide excellent (but quite spendy) training. I have been fortunate enough to attend one of their courses and will take more in the future due to my day job.

SANS is a great resource, for today’s subject, we are talking about security policy.

A collection of free use documents that SANS makes available for organizations. Look at the collection and see if any may help you build the strength of your organization. They have a robust community and the information that they provide is worthwhile.

General Policy Files:


Acceptable Use Policy:


Password Policy:


Password Protection Policy:


Email Policy:


Ethics Policy: (this one is retired but has worthy sections to review and possibly implement)


Depending on the input I get on this post, it may continue to evolve.