Voiceovers by Gregory Houser
A man, a martini, and a lot of microphones.: Are you a social networking butterfly..? Just watch out for the spider's web.

Saturday, September 19, 2009

Are you a social networking butterfly..? Just watch out for the spider's web.

There have been a LOT of blog posts this past year about social networking, particularly of the online sort (while it's not social networking per se, Dave Courvosier just posted a nice blog article of a similar nature regarding Google Is Your Resume). It's an important tool that people use within many industries, including the Voice Over community. Even I have references to my profiles on several online networking sites in the links section of my Website. In the "Age of Information", social networking sites have become a valuable resource for those who can't always be where the action is.

That's a good thing.

Unfortunately, there's a flip side to that equation, and it's one that most voice over professionals don't think about too often. Social networking is definitely a potent tool when used responsibly. However, it's also very easy to put yourself in a position where you're giving out too much information about yourself.

Since we're talking about the information which you put out there, let me take a second to explain a bit more about myself and why I've got the point of view that I do. You see, I've worked as an information security professional for well over a decade, specializing in finding new and unique ways to get past those things which other people feel are secure. While I am also a professional voice actor, the experience, training, and mindset which you develop over the years doing a job like like mine give you a bit of a different viewpoint on things.

So while I hate to be "that guy", I've made more than a decent living in my life by looking for vulnerabilities in systems, showing proof-of-concept on how to exploit those vulnerabilities, and using techniques (often refered to as "social engineering") to get information from the least secure items within any organization's security architecture (i.e., people) so that organizations and individuals can better protect those items which they consider to be most valuable (FWIW: check out the term "White Hat", for those who've gotten nervous at this point, lol).

Think about it. Most voice over professionals I know have at least a LinkedIn and a Facebook account. A lot of us also have Twitter accounts. So I want you to put on your "black hat" for a second and think like an attacker or a scam artist. I'm not going to name names, but I'm using a well-known voice actor in Philadelphia as my target (with their permission, of course). I used Google to check out my target and learned that not only did they have a Website, but also accounts on Facebook, LiveJournal, LinkedIn, and Twitter. Not surprisingly, all of the pages with these services (save for LinkedIn) gave me enough info to know the stuff you'd normally find out about a voice talent:
  • Demos
  • Partial client list
  • Email
  • Training
  • Formal education

Now here's the stuff I was able to aggregate:

  • Home address (from domain name; pictures on LiveJournal account match Google Street images of address from domain listing) .
  • I know from various postings that my target has children (from LiveJournal).
  • Past tweets tell me the name of the school, and of the target's oldest child (from Twitter).
  • Twitter also gives me the target's phone number.
  • The target's current employer (they also have a day job; LinkedIn provided that info).
  • Current complainTs about employer (aggregated the target's contact email address via Google query) .
  • Vaction plans (Twitter, LiveJournal, and Blog)
    ...and a lot more (via
    Flickr, MySpace, and Xanga).


...needless to say, my "target" was more than a little shocked at all the data that was freely available.

If you've ever been to Gearslutz (which I feel is one of the top sites for those who are interested in the art and science of recording), you already know of the several cases where studios have been robbed, and in the investigation afterward it was learned that social media played a large role in the intruder's recon of the studio.

Now, I'm not trying to scare the bejesus out of anyone, but too often we don't think about the potential consequences when we put our information online (for those who want to know just how far down the rabbit hole you can go, I recommend a bootcamp with SANS; it's a good portion of their Incident Handling and Security Essentials courses). These unintended consequences can have major ramifications upon both our personal, and professional lifes.

Social networking is a powerful and useful tool, but like most tools it can be misused. The thing to remember is that even as a voice over business, you have to watch what you are doing online. Here are a few tips which I recommend you use to better ensure your privacy:

  • Watch what you share: It's too easy to give away personal information that can be used or aggregated into a format which enables others to learn more about you than you might be comfortable with. Never put your personal address, or home phone number (mobile phones are a little harder to trace back) on any social networking site. It's a piece of cake to cross-reference information and identify more information about your life than you might be comfortable with.
  • Assume that once you've put the information online, that anyone can see it: Most people don't realize that you need to restrict access to your profile if you don't want random strangers to see it. The more information you put out there, the more chance there is that something's out there which you didn't want getting out for public consumption. This is also a good reason for those of us who are doing a lot of bookings out of our house to use a mailbox other than our residental mailing address (for billings and also for those social networks and phone directories where your address is collected).
  • Be Skeptical: The point of social networking is to find people who share your interests and establish a network of friends and business contacts, but don't let your defenses down too easily. These new "friends" are virtual and faceless and you can't completely trust that they are what/who they say they are. In short, on the Internet, nobody knows that you're a dog, and just because someone says they're into the same things you are, doesn't mean it's true (I've read and investigated too many scams where the victim's interest turned out to be the angle used to gain the victim's confidence).
  • Be Diligent: Knowing that the potential exists for scam artists or other baddies is a real one, keep an eye on your profile and be diligent about who you allow to connect with your profile. For photo sharing sites like Flickr, check out the users who are marking your photos as their Favorites. If some stranger is marking all of the pictures of your 7-year old son as their Favorites, it seems a little creepy and may be cause for concern.
    Report Suspicious Behavior. If you have reason to believe that someone is scam artist or has malicious intent, report it to the site. The adage "where there's smoke, there's usually fire" is very true. Above all, don't be afraid to communicate about something which raises a red flag. It's better to have a "false positive" (where we think there's a problem and there really isn't), than to have a "false negative" (where we don't think there's a problem when in fact there is). You never find out about the false negatives until it's too late... so keep your "spidey sense" tuned. Bruce Schneier often discusses the concept of personal "threat perception" and it's development with humanity's evolution (trust me, security geeks eat this stuff up). He's right, and when your "gut" is telling you that something's not right, you ought to trust it (while you don't have a "spider sense" per se, your "gut" is usually very accurate at picking up stuff that your conscious mind does not).

I apologize for turning my voice over blog into an post regarding operational security, but with all those who are gung-ho about social networking, it's valuable to recognize the flip side of that coin. The bottom line is that social networking is hugely popular and it is big business. It can be a very lucrative tool for the voice actor, but like all things it requires a bit of common sense and awareness. Like most everything else in life, the more you know, the better prepared you are to handle whatever comes your way.

Cheers!

-Gregory Houser, CISSP, GCIP, etc.

Labels: , , , , , , , , , , , ,

5 Comments:

Anonymous Bobbin Beam said...

Wise, excellent information here, Greg. Likewise, once something is out there on the web and it becomes indexed, it may never go away. I believe it's prudent to remain professional and be mindful of how you present yourself.
Best,
Bobbin Beam, Voice Actress

September 19, 2009 at 10:40 PM  
Blogger Matto said...

Great post, Greg. Thanks for sharing all this info - it's helpful to be reminded on just how much information we are making available.

My Facebook and Gmail accounts were hacked by one of those Nigerian scammers at the end of last year, and it worried me how much personal info they were able to access from getting into my file. I've been a lot more careful since then.

September 20, 2009 at 1:48 AM  
Blogger Karen Commins said...

HI, Greg. You have written a fantastic article that should be an eye-opener to many people. I want to add a couple of points.

First, you don't want to put your birthday on Facebook. Your birthday is one of 2 pieces of info (the other is your SSN) that someone needs to steal your identity. I have seen so many Facebook pages which show a person's real birthday, and many of those are open to everybody in the world. I never enter my true birthday on any site that asks for it, and I don't have it displayed even for friends.

Second, even if you have been careful about your home address and phone number, it may still be on-line through Google's phone books. Many people also don't realize that Google Earth has satellite images. With you home address in hand, a crook can see it in Google Earth and/or Maps and get a picture of your house! You can request phone book removal with this form:http://www.google.com.au/help/pbremoval.html

Thanks again for an excellent and timely article. I'm going to use social networking now and tweet about it!


Cordially,

Karen Commins
http://www.KarenCommins.com

September 20, 2009 at 8:29 AM  
Blogger Greg Houser said...

Karen, believe it or not the questions which are routinely asked when it comes to a social security ID, or even a traditional user login are related. With just two or three pieces of information (such as your birthplace and birthday) a savvy person can figure our your SSN.

One of the biggest challenges for those who try to design security systems is the same one that folks who discovered the SSN flaw have... people don't always understand how the system works, or just what it protects, and because of that they don't realize just how important certain pieces of information really are.

Knowing little tidbits like that make me a huge fan of searching for yourself on Google; it's one of the best ways to know just what information is really out there.

September 20, 2009 at 11:01 PM  
Blogger CourVO said...

Greg,

'Glad I had some small part in helping you arrive at the inspiration to write this blog. For those of you who don't know, Greg could write a whole book about this stuff... he's that good, that smart and that experienced in these matters.

Nice going!

Dave C

September 21, 2009 at 9:22 PM  

Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home

work
the martini lounge
frequently asked questions
contact gregory houser
links
a man, a martini, and a lot of microphones
 
   
 
workstudiof.a.q.contactlinksblog
greg@gregoryhouser.com