Please Burglarize My House: Personal OPSEC and Social Broadcasting

June 9, 2009 :: Joe Loong

In a previous blog life, I envisioned a scenario where cyber-savvy criminals simply did a blog search for the phrase “going on vacation” to target houses to burglarize. Given that people routinely post details about where they live, their whereabouts at any given time, what kind of stuff they own, and who they live with (or if they live alone), there’s a lot of information available that could be useful to potential burglars.

Well, it looks like this scenario may have finally happened, as written up by travel blog Travelin’ Light: Twitter user @izzyvideo posted a Tweet saying he and his family were on vacation. A few days later, he tweeted that his house had been burglarized. (There’s more info in his blog entry, and it’s been getting mainstream press attention.)

Since his Twitter updates were publicly findable on any Web search and also appear on his Facebook page, there’s no way (that I see, anyway) to pin this on one of his online friends or followers. If any of them had a hand in the crime in the first place: It’s perfectly possible (in fact, I would say probable) that the burglary was just a random property crime that doesn’t have anything to do with any social media at all. But it’s a fascinating, if disturbing topic, especially since it has a link to Twitter. After all, Twitter is about socially broadcasting your status in realtime, as well as the ability to search those updates, also in realtime.

Transparency as Vulnerability?
I was struck by a passage in Everfree, a science fiction novel by Nick Sagan, where a protagonist is talking about the wireless links that people use to communicate:

Watch lists tell us who’s in the news, so if I’ve got Claire on mine and she’s featured on someone’s channel, an alert lets me know. Watch lists are also a measure of popularity, so the more watched you are, the better. Slick way to get citizens to enjoy being watched. “How do I get more people to like me? How do I move up in the rankings?”…

…If someone’s using a link anywhere in the city, I can find out where he is and what he’s linking — another person, an information site, entertainment, you name it. Blows my mind how many citizens are willing to give up their privacy. Total transparency may be the selling point, but the goal is control.”

Sound like any social broadcasting phenomena we know? (Incidentally, the book came out in 2006, the same year as Twitter’s founding. Also, one of the bad guys is named “Ning,” though I think that’s just a coincidence.)

Opsec as a Way of Life

Now, intelligence and military types (including military bloggers) often talk about Opsec (Operations Security), which means being aware of what you say that might reveal what you’re doing. It’s best embodied by that most famous WWII slogan, “Loose Lips Sink Ships.” (You can see a whole bunch of related posters at the WWII Poster Collection at the Northwestern University Library.)

Another aspect of Opsec is the idea that a single piece of information might not be damaging by itself, but a watchful adversary could combine it with other pieces to form a revealing picture, as illustrated by another poster: “Bits of careless talk are pieced together by the enemy.

Anyway, especially with services where we announce our physical location, I predict we’re going to have to be a lot more sensitive to personal Opsec concerns, because eventually, the criminals will catch up.

As a bonus, here’s a version of the Someone Talked! poster that I’d worked up for a more up-to-date warning message:

Someone blogged!Modified public domain source image from the WWII Poster Collection at the Northwestern University Library

Have you thought about how people might misuse the information you broadcast? [Incidentally, in case anyone gets any ideas, my house is hardened and alarmed -- a veritable fortress -- and my neighbors and roommates are all former police / Special Forces / ninjas.] Is this overblown hype? Are you planning your own social-media enabled crime spree? Leave a comment below.

Share and Enjoy:
  • Technorati
  • Digg
  • Reddit
  • Google Bookmarks
  • Facebook
  • Propeller
  • StumbleUpon
  • Slashdot
  • del.icio.us
  • Netvouz


Comments are moderated and will appear shortly. See terms.

  • It seems no one learnt their lessons from the Vacation response forms which Spammers are also reselling on to interested parties.
  • I've been using these concepts for a few years to dig information about competitors. I even wrote about some of the *early* patterns I discovered along these lines: http://caseysoftware.com/free-tagging/linkedin
  • The mainstream media is looking for any ways to marginalize or scare people in the world of transparency and personal broadcasting. I believe everything is a calculated risk in the world of security. Even the best combinations of security are vulnerable because of one factor: humanity. More succinctly, social engineering.

    A lot of the coverage has been revolving on the responsibility of social networks and the issues around privacy. In the world of journalism, snark pays the bills, and thus a great debate around the personal responsibility in maintaining safety comes up. Social media is more than marketing, more than broadcasting and more than risk. It's just communication.

    What's one of the best ways to determine if a house is empty? Knock on it. Perhaps hold a box, and wear a pair of brown shorts and a brown jacket and people will assume you are delivering them a package. If someone answers, just say it was the wrong house and keep moving along. If no one answers, and after a number of repeated attempts, then you just scored the next place to burgle.

    Now, is that simple social engineering "hack" being discussed? No. The media is so bent on scaring (and not wisely educating) their viewers away from the social medium, they lose the ability to remain objective and perhaps advocate for safety and tips for their audience.

    That said, I do think twice before announcing when my fortress is insecure. I aim to be ambiguous and only share my GPS coordinates to trusted contacts (via Brightkite). Yahoo's Fire Eagle project was a great example of warning and advising users of privacy concerns in social media. To me, the project failed because the fear overpowered the benefits, but that's just conjecture at this point.

    I think people are still cautious in social media. It's a good idea that failures happen and are reported [fairly] so people can manage their social media activities just like any other means of communication. Glad to see no one was hurt.

    ~Joe
  • Thanks for the replies, folks.

    Nik -- as we've seen, offer people a keychain or a free pen and they'll give away almost any info.

    Keith -- Good observation; I companies (well, some of them) have been more aware of Opsec issues ever since the issue of industrial espionage started growing, post-Cold War.

    Joe -- Agree and disagree; it's like the difference between tape-trading and file-sharing -- you can case so many more places over the Web, get better intelligence, and do it mostly anonymously, with little effort and zero risk. While this particular case I would guess is not related to social media, if I were a savvy burglar, these techniques would be on my list.
  • Ginger
    For those of us deep in the OPSEC world, we know inherently not to post personal information on social media sites. Common sense and logic would prevail, one would think, to the average Joe internet user (uh, average Joe Manna…or average Joanne Ravie… user too?). As the old adage goes, one comment or statement alone may say or mean nothing, but when pieced together with other information from differing social sites one can come up with enough pieces of a puzzle to obtain personal information about a person. I agree with all that is mentioned in Mr. Manna’s comment, however, do have to disagree with the comment made that “The mainstream media is looking for any ways to marginalize or scare people in the world of transparency and personal broadcasting.” If articles such as the one presented here/other sites were not posted those with a false sense of safety/security may think posting certain info is harmless. Or worse, not think about what they post in the first place. I have a hard time understanding why people post 1) when they are out of town, 2) pictures of their kids and where they live, 3) venting about anything and nothing, and so on. Not to mention what may seem fun to post today (i.e., college kids posting sexy party videos/images) may not be such a good idea if a future employer uses social sites to screen the types of candidates for jobs at the company. It’s a great networking tool, marketing tool for business, communication and research tool, just be smart about what you post. That’s all this article is saying and meaning, not that one should not use social media.
    Then there are the companies that thrive and survive on people utilizing social media, otherwise their business becomes non-existent. Even some encourage their employees to blog, Tweet, and connect as much as possible through social media. Some people spend all day in social media, it’s their life and their passion. Right? Even a VP at a certain company admits she does not post on social media sites enough, and that everyone should set time in a given day to do so. That is for your business to thrive or die. So with your company (above) and in your example, Joe, it’s about where you connect with your customers, social media and its mere existence is extremely important for your company to survive. We also know that you like burgers from social media (Zebulon, In-n-Out Burger animal style), and the car you were driven home in the hospital was a CDV. But for those other average Joe’s, they may not be ‘thinking OPSEC” and post very personal information about family, pictures of kids (which pedafiles love to see), and so on. Whether a person utilizes social media sites for business or fun, much can be obtained and pulled together like a puzzle to reveal info about a person. Just be smart about it, that’s all.
blog comments powered by Disqus
« Microblogging and Microrage
Network Solutions Half Yearly Sale »