Physical Threats |
7 |
INFORMATION IN THIS CHAPTER
• Physical Threats against Your Company
• Physical Threats against Your Person
• Preventative Measures to Physical Threats
• Future Outlook to Physical Threats on Social Networks
As we have illustrated throughout this book, social networks have experienced a boom in popularity over the past few years because of their ease of use and ability to connect with a large number of people. What does this mean to us? Those social networks have become a part of everyday life, and we are not just talking about our personal lives; they have invaded our corporate lives as well. Companies are now relying on social networking sites, such as Twitter, as a means of mass communications for disasters.
While social networking sites are a convenient means of communicating, they have introduced numerous security threats into our personal lives and corporate lives. Throughout this book we have discussed numerous information security threats, such as identity theft and malware; what we have not yet discussed are the threats that have been introduced into the physical security world. That’s right, we can put ourselves and companies in harm’s way with the information we share on social networking sites.
Think about the groups we join and information we share. People share proprietary information about their companies, as well as sharing their home address. Think of how easy it would be to use a social network site to gather enough information to rob a person. In the past, the criminals would have to scout the person’s house to determine their schedule so they would know when a good time would be to rob them. They don’t need to go through that hassle anymore. They can now just befriend the person on a social network site. They will learn the person’s address, as well as when they are going to be gone. “How will they learn their schedule?”, you ask. That answer is pretty simple: a large portion of people will post when they are going on vacation, as well as when they are going out. What does this mean to an attacker? You won’t be home. Sounds like a good way to scout a place, doesn’t it? And you don’t even have to sit in your car.
In this chapter, we are going to focus on both the physical risks people put themselves in and the physical risks they put on their employers.
Believe it or not, more and more companies are allowing employees to use social networking sites at work. A lack of social networking use policies and an increase in companies using the sites for operations have aided in this.
NOTE |
Since this chapter is dealing with both personal and corporate physical threats, we are going to provide our definition of physical threats as they relate to the context of this chapter. A personal physical threat is the possibility of physical harm to a person or his or her property. When discussing a corporate physical threat, we are talking about a threat that can occur when physical security controls are evaded. |
By allowing employees to post to their social networking sites and not educating them on what they is acceptable and not, companies introduce themselves to a range of potential law suits and physical threats. Below is a list of just a few of the items companies introduce themselves to by not controlling what their employees post:
• Sexual harassment suits
• Leakage of proprietary information
• Liability should an employee postthreatening comments to another person while at work
• Introduction of vulnerabilities into physical security controls
“Leakage of proprietary information” and “introduction of vulnerabilities into physical security controls” can occur regardless if the employee is posting from work or home. Now you may be wondering how this could occur with the information people post. It all comes down to how the information can be used. We will take a look at an example of how this information can be used to circumvent physical security controls.
Security companies are hired by customers to perform penetration tests on their environments. These tests include trying to gain access to an environment through any means possible. An attacker can gain access through technical means and physical means by bypassing security controls.
A security consultant by the name of Steve Staisukonis wrote an article about how he utilized Facebook to bypass the physical controls of a company.1 In his article, Steve explains how his company was contracted to compromise a company’s environment. They had a stipulation in the contract that they were allowed only to use information gathered on the Internet to perform the test. The reason this stipulation was put in place was because the CIO of the company was concerned about the information their employees were sharing on social networking sites. Sounds a little familiar, doesn’t it?
It was decided that Steve would use only information that he had gathered off of social networking sites. Sounds like it might be a little difficult, right? Not really. They began the project by searching multiple social networking sites for information that employees from the company were posting. What do you think they found? They found numerous employees who discussed what they did for the company and many other employees who were openly discussing their dissatisfaction with their company.
After searching multiple sites, Steve noticed that the majority of the employees belonged to Facebook. So, Steve decided to create a group named “Employees of ” company name. Steve also created a profile for a bogus employee of the company. What do you think he did next? He joined the group he created and began to send invites to employees of the company to join the group. Not surprisingly, he saw the membership of the group grow day after day.
Knowing the facility they had to access was a secured facility, they decided they would need to impersonate one of the employees of the company. So, they chose an employee who was far away from this location. By doing this, they would be able to reduce the likelihood of the person they were impersonating being known at that location. Now, they would need to impersonate this employee and be able to answer any questions about him or her that may be asked.
All they had to do was visit his or her Facebook profile. The person they decided to impersonate had posted all his or her personal information on his or her profile such as job title, phone number, e-mail address, family information, and pictures. This made it easy for them to create a bogus business card with the correct information. Not only did they create the business card but they were also able to create an embroidered shirt with the company’s logo and a fake company ID.
Armed with all the information and fake stuff they had made, they decided it was time to attempt to gain access to the facility. After arriving at the facility and entering, he or she was greeted by a receptionist. He or she immediately presented the receptionist with his or her fake credentials and began talking about how horrible the trip was and how important it was for him or her to get a spot where he or she could start replying to some important e-mails. Within seconds, the receptionist provided him or her with a place to sit, connection to the Internet, and a 24 × 7 access card to the building.
Now that he or she had successfully bypassed the physical controls and gained access to the building, he or she would need to gain access to sensitive company information. So, he or she left at the end of the business day. Remember though, he or she had a 24 × 7 access card. Guess what happened next? That’s right, he or she returned when everyone had left. He or she was then able to perform some hacking and gain access to the sensitive corporate information.
This just goes to show how information obtained of social networking sites can be used to bypass physical security controls and gain access to sensitive corporate information. Physical security controls are in place to protect a company from physical threats. When these are bypassed by information gathered off a social networking site, they are rendered useless.
TIP |
This story is an example of social engineering. We normally think of social engineering as someone talking to you or sending you an e-mail saying they are someone they are not. In this example, we have seen how social networking sites can be used for social engineering purposes. In the past, the weakest link in a company’s security was usually its people. That still holds true today. We need to make sure we question people when they are in our offices and we don’t know them. With social networks, we need to perform the same type of questioning. Don’t accept friend invites from people you don’t know. Also, don’t join groups associated with your company unless you know without any doubt that it is an official company-sponsored group. By performing these simple tasks and questioning things that don’t seem in place, we can greatly reduce the risks of a company falling victim to social engineering. |
This introduces some new things for us to think about in protecting our companies, doesn’t it? Think about it: we are being asked to protect our companies from threats that may or may not be directly under our control. How can we do this?
First thought would be to just block social networking sites and not allow employees to access them from work. However, that is not going to stop them from posting it from home or, better yet, from their cell phones. So, what can we really do then?
The first item we need to take a look at is the protection of our proprietary information. This is the information a company doesn’t want available to the public. How can we protect this information? This means that we first limit who has access to the information. By limiting access, we can reduce the number of people accessing the information and thus reducing the potential of the information being posted. Keep in mind that we are talking about risk reduction not elimination. We cannot totally eliminate the risk of the information being posted, but we can reduce the potential of it being posted.
The next item we need to get into is creating a social networking policy. This will be an acceptable use policy for the use of social networks. At a minimum, the policy should have the following:
• Purpose This section will describe what this document is and why it has been created.
• Acceptable use This section will describe what employees are allowed to share and what they are not. This includes information they cannot share about the company even when off hours.
• Violation What will occur to the employee should they violate the policy.
• Signature At the end of policy, there will need to be a section for the employee to sign the document. This will prove that the employee has read the policy and agrees to the terms.
Once again, this is just the minimum information that should be included. These policies can be even further divided into the following policies:
• Blogging disclosure This document is used for employees to list personal blogs they author outside of work.
• Blog policy This document specifies the guidelines for writing on the company blog.
• Facebook usage policy This document describes the guidelines they must follow when utilizing Facebook at work.
• Twitter usage policy This document provides guidelines on the way employees are allowed to use Twitter at work.
• YouTube usage policy This document describes the guidelines an employee must follow when utilizing YouTube at work.
• Social media policy This document provides guidelines on what an employee is allowed to disclose inside and outside of work.
These documents could be created as separate policies or are all contained within the same policy. This list was just to demonstrate the level you can take these policies to. It is all up to you and your company on how detailed you want to get.
Now that we’ve created the policies and had the employees sign them, how do we make sure they are following them? Believe it or not, monitoring is one of the most overlooked areas when talking about security. Companies have employees sign all kinds of policies in order to reduce their liability. Then, they turn around and don’t monitor them. If we don’t monitor the social networking policy, we may reduce our liability, but we will not reduce the risk of our corporate information getting out.
So, we need to monitor employee activity. This is not an easy task. We can do this in a few ways. We can first just track how much time people are spending on these sites. If this is all you want to do, you can do it through a proxy server or a Web monitoring tool. However, this will not provide you with what information they are posting. If you want to monitor this information, which you should, you can do this by manually monitoring the sites and watching your employee profiles. This method is pretty cumbersome. Another method would be to subscribe to a service like Biz360’s Community Insight product at www.biz360.com. A service such as this provides you with a portal in which you are able to specify the sites you want to monitor and the people to monitor.
WARNING |
Notifying employees of activity monitoring at work is not required. An employer can monitor employee computer activities without his or her knowledge. However, this introduces a gray area if you are forced to take action against the employee. If the employee has not signed an acceptable use policy, he or she has not been told of what is allowed and what is not. Should you fire the employee for an activity without him or her signing an acceptable use policy before the incident, he or she could have a potential lawsuit against you for termination with no cause. This is a gray area, and you should consult your corporate counsel first. |
The last item we are going to discuss is security awareness training. In order to have a good security program, you must provide continual security awareness training to your employees. At a minimum, the security awareness training will provide employees with training on how security is handled at the company and what is expected of them. This training can be expanded upon to explain to employees what threats are and things to watch out for.
If you want to be the super security engineer, you could create a training series based on social networks. In this series, you would train them on the threats we have discussed thus far and the methods to protect themselves. Remember most people don’t understand what these threats really are and what it means to them. Should you take the time to educate the employees on this, not only from a company standpoint but from a personal standpoint a good number of them will greatly appreciate it.
Most people when using social networks never think about physical threats. Instead, they believe the people they have made friends with are really their friends. As well as, the fact this is online. Online is a fictitious world and never crosses over into are real lives, right? Wrong. What happens when someone hacks your bank account? You lose money and that is real. Now that’s not really a physical threat, but it does make a point of how our online world does affect our physical world.
So, you may be wondering, “What are physical threats a person can encounter?” That’s really not an easy question to answer. However, the list below does provide some physical threats a person can encounter. Keep in mind that this list is by no means an exclusive list.
• Death
• Rape
• Bodily injury
• Property damage
• Theft
At this point, you may be wondering how one could end up in a situation where bodily harm could occur because of a social networking site. This example is a fictitious scenario; however, it could really happen, and it should make you think.
Let’s call our attacker “Bad Man.” Bad Man is out trying to find a way to make a lot of money. So, he decides he is going to kidnap the child of a wealthy person. Bad Man at this point determines the best way to find his prey is to surf the social network sites. He begins his search on a social networking site that is geared toward business people. While searching the site, he finds a person who matches his requirements: well off and with children.
Now he continues his research of his victim. He learns that the victim has a Facebook profile as well. So, he gathers all of the person’s information, including pictures and names of his family. At this point, he decides to see if the children have Facebook profiles. Guess what? They do.
Now Bad Man has been around for a bit, and he knows that most young people are going to belong to more than one social networking site. So, he decides to see if they do. Low and behold, he finds one of the victim’s children with a profile on one of the other social networking sites that his or her dad doesn’t belong too. This is the perfect opportunity for Bad Man to create an Evil Twin (as discussed in Chapter 4, “Evil Twin Attacks”) account of his or her dad and befriend him or her.
Once befriended, Bad Man sends a message through the social networking site telling the young person that he needs the child to meet him after school at a certain place. Remember, he or she think that this message is from his or her dad, so he or she goes. Bad Man then kidnaps the child, and a parent’s worst nightmare has just begun.
This is a kind of a far-fetched scenario. However, with the proper planning and execution a scenario like this is not all that far fetched. Not only do people need to concern themselves with physical threats occurring to them but they need to realize the repercussions that can occur should they choose to make a physical threat against another online.
Jasper Howard was a young aspiring college football player for the University of Connecticut. Howard decided one evening to attend a dance on campus and was accompanied with a friend of his by the name Brian Parker, a teammate on University of Connecticut football team. The two got involved in a squabble with another set of men, some of whom were student athletes from the school. The incident ended in tragedy as Parker suffered injuries during the fight, whereas Howard was mortally wounded as a result of a stab wound to the abdomen. Parker was admitted to a hospital located in nearby Hartford; however, Howard later died as a consequence of the stab wounds. In a memorial to Jasper Howard, a social group was created within Facebook to show support for the fallen athlete. Friends and family joined to show their support and love for Jasper. The social group for Jasper grew to over 13,000 people (see Figure 7.1); among the 13,000 was an individual by the name of Christopher Mutchler.
Mutchler, also a student at the University of Connecticut, had a voice of his own and intended to express himself with regards to the murders. Christopher, in reaction to the investigation that was taking place with regards to the murders, made it his agenda to write within blogs such as those found ESPNU sports network, as well as on Facebook. Within those two social networks, Mutchler posted threats in attempt to keep witnesses from coming forward with any details or information that would aid in the murder investigation. Within one of his postings, Mutchler allegedly wrote,
FIGURE 7.1
Facebook Memorial in Honor of Jasper Howard
Source: www.facebook.com/pages/RIPJASPER-HOWARD/153816901588. Shown for educational purposes.
“STOP the snitching and post the names of anyone you know who gave information to the cops.”2 Needless to say that Mutchler made himself an interesting person to seek out in light of the efforts made by police while investigating the murders. Although the police believed that Mutchler’s comments were hollow threats, for his actions, Mutchler was apprehended with five counts of hindering prosecution, acts of terrorism, and several misdemeanors. Mutchler was eventually released on a $15,000 bond. In reflection, that is quite a consequence for two postings on some social networking sites. This incident illustrates that in the twenty-first century, verbal threats such as these (especially in lieu of a criminal investigation) is a hefty consequence to get involved, even if indirectly with emotional comments and an urge to be noticed during such a tragedy.
We have discussed throughout this book what to do in order to protect yourself when using social network sites. However, we should review a few of these again:
• Do not include information in your profile you do not want the world to know.
• Do not become friends with just anyone.
• Utilize your privacy settings.
• Do not post in your profile your schedule, when you are going on vacation, or anything an attacker could use to create a profile of your movements.
• Do not post personal information about others in your profile. This could put them at danger.
Remember that you shouldn’t share information that you wouldn’t tell a stranger on the street. You never know if your friend is really who they say they are. Now, what should we do if we do encounter a physical threat online? Utilize the following:
• Take action.
• Notify the attacker.
• Notify the appropriate authorities.
• Be open to suggestions.
One of the biggest mistakes that anyone can take when dealing with physical threats from online sources is to not take them seriously. Social networking tools, as with any online outlet to expression, are a candid reminder that we are all players in this large maelstrom on the Internet. One of the biggest problems with our own safety is our inadequacy to judge the severity or potential severity of the situation. Victims often dismiss the situation as something that will come to pass, or worse yet that victims perceive of having a false sense of control of the situation. Despite our diplomatic skills, ultimately we do not have any control over anyone other than ourselves. Precautionary measures should be taken whenever a situation arises where one receives any conveyance of threat or harm. These threats, however, need to have action taken to them at minimum in order to provide understanding to those who have issued the threats; otherwise, the likelihood of reoccurrence is more likely to happen. So, how does one respond to physical threats and harassment? Who can help when these situations occur? How can you tell whether the threat is genuine or not? These are many of the questions which we intend to cover, and more as part of this section in dealing with physical threats.
When one receives a threatening message from an attacker, it’s not recommended that there be minimal dialog and contact thereafter; however, as complicated as that may be, there is also a need to limit the dialog but provide a clear understanding to the attacker to stop his or her activities. By expressing your understanding of your legal rights, explain to the attacker in a brief and simple message that you no longer wish to be contacted in any way from that moment on. That should be your first and last measure of engagement directly to the attacker. By performing this action, you do two things: First, you set the rules of engagement by ensuring that the attacker is no longer welcomed to communicate with you directly, and the second and most important element of this exchange is that it sets a clear indication that you are not the attacker. If the attacker is persistent and continues to persist in his or her attacks, be sure to filter this person’s activities, depending on what medium you are on. Be aware of what tools you have available to you in order squelch or diminish the visibility.
Since the onset of any threat received, there is an impulse by the victim to remove or to delete the offending message. While it may provide immediate comfort to the victim, it provides shelter to the attacker. Regardless of how disturbing or offensive the message is, it’s important that all messages from an attacker be retained. This collection of evidence is critical in defense of your cause. All information exchanges between yourself and the attacker should be retained and made sure that all time stamp activity be collected and retained as well. Save all the information that has been written about you from the attacker to your local computer. Print out where possible, and keep this information offline as well in the event that your data is compromised, damaged, or lost. Collect and organize any and all correspondence, and make sure that it is presentable and explainable to local law enforcement or attorneys, as required. Remember that the evidence is to prove that clearly you are being victimized and that you are not attacking or provoking the situation. While printouts of pages within social networks such as Facebook and MySpace may not be sufficient as evidence, given that we’re a Photoshop edit away from doctoring, keep in mind that social networking sites are obligated (if under court order) to provide any and all relevant evidence sequestered. In its original form, pages from these sites can be leveraged as credible evidence. One of biggest problems during such threatening circumstances is our thought or inclination to solve this problem ourselves. Whenever a conveyance of a physical threat comes your way, make certain to understand that you are not alone in your situation and to be sure to seek assistance wherever possible. Avoid trying to solve the problem yourself when it comes to threats to your well-being. Do the right thing: report it.
Upon collecting and archiving all the relevant information, the next recommended step is to notify the appropriate parties of the attacker’s actions. If you are threatened within a chat forum or on a hosted social network, the abuse support centers of these services should be notified and provided evidence of what has transpired. If the threat was received via e-mail, notify the Internet service provider who is hosting that mail service to this person’s activities with accompanying evidence of any and all messages that were perceived threatening from the attacker. Be sure to limit the amount of emotional rhetoric as possible, as these abuse teams are usually inundated with various amounts of abuse activity. The more clearly and objectively it is presented to these parties, the more likely you are going to get a positive and reactive response to your plight. As has been presented in such classic TV shows such as Dragnet, keep to the facts and minimize the amount of emotion so that it doesn’t create unnecessary distractions to those who are trying to provide support to your situation. The more semblance of control you have in the situation, the better you will be received. Be sure to what objectives you have in this situation well in advance. Know the terms of the service in which you were engaged. We realize that it’s both annoying and difficult to read through a lot of the legal jargon, but it helps significantly in clarifying where the attacker violated any forms of acceptable usage, and it arms you with knowledge. If your intent is simply out of spite or revenge for the disrespect given and to squeeze out an apology, understand that the likelihood of this happening is highly unlikely. However, if your intent upon being attacked is to obtain defense of personal safety to yourself or your family, then this is an entirely different matter which can garner more support and sympathy and may have more traction in support from a legal perspective.
Last but not least, one of the most important elements in dealing with such threats is to be emotionally astute enough to take advice given to you. Be receptive and open to any of the advice given to you by those whom you sought after in appealing your case. In order to address the matter, you must be levelheaded enough to follow up to the suggestions made to you, no matter how inconvenient or defamatory to your pride. After all, you sought their help for advice and assistance, and if you are unwilling to compromise or adjust to the advice provided, then clearly you are wasting not only your time but the time of those whom you’ve sought out to assist you with the attack. Try to remain levelheaded and receptive to those changes recommended; otherwise, such resistance may prolong the matter from being resolved within an agreeable time frame.
The objective within this section is to provide some guidance on developing some measure of prevention to physical threats by leveraging the innate detective skills that each and everyone of us has. It’s a traditional method that has been widely used for ages and is becoming a tool of use even for those outside of the more traditional professional arenas, and it’s called background checks.
Another method of protecting oneself from physical threats is by means of background checks. The ability to perform background checks has been performed by organizations for years. They typically have been fairly expensive to perform but guess what? As a result of the growing interest in screening, people have now been geared toward the home computer user, which is great providing you intend to use such a service and are willing to incur a monthly fee in order to do it. Some services have a “try before you buy” option where you can evaluate the service for a set amount of days before making a commitment.
Background checks services perform on your behalf the means of collecting various public records on an individual by displaying to you within the service compilations and from various databases which provide background information on an individual. Here are some of the criteria that can be obtained:
• Addresses (previous addresses)
• Criminal records (may include sex offender history, driving records)
• Marital status/number of children
• Relatives and associates
• Civil records (divorce status, bankruptcy, and so on)
• Professional records (general employment history, license verification)
• Background report
• Age/date of birth
• Income/home value
• Phone number history (may include cellular)
• Credit history (Experian, Equifax, and TransUnion)
• Social security death index
• Certification of death
• Social security validation
• Neighborhood searches
• Government contracts
Before you punish yourself for thinking about using such tools as a means of checking someone, understand that there are very legitimate reasons why you would use these tools. For example, for anyone possibly entering into a financial commitment with someone, the means of leveraging background checks may become very useful to help validate an individual’s claims of trustworthiness. Let’s suppose you own property or have an extension within some property of yours that you want to rent out. These tools are extremely beneficial in weeding out the less ideal candidates when considering people. Wherever you may be placing yourself in a long-term commitment in which you could incur either financial or physical risk from an individual you may not know very well or may know but may have some uncertainty, background checks may help in putting your guard down and providing you some peace of mind before taking any actions that may incur such risks. The onus is on you to protect yourself initially, so the means of providing that assurance and safety may just start by initiating a background check against an individual. If you are feeling rather sleazy about performing such an action, we recommend that you exercise a degree of openness and provide notification up front to those for whom you intend to perform a background check as an impartial means of validation. This can be done by having this disclosure in advance and by giving a fair warning to the person so that he or she is aware and may be able to decide right there and then whether he or she is comfortable in continuing, or you may provide some additional measure of explanation when it comes to an event from the past. After all, we’ve all made mistakes (especially when we’re young) and it’s not always reported in the most accurate measures or context. But providing advance notice is fairer to the individual and opens the atmosphere potentially for additional insight. Always remember that the more background information that you want the more you will pay in service fees. If the individuals in question are uncomfortable with the intended actions, you provide them a parachute out of the commitment and provide yourself a means of lessening your risks and saving some money up front as well as perhaps in the future.
To put it mildly, no, not all these sites are trustworthy. There are a number of sites that prey on the innocent and provide either inaccurate data or vacuum money from you continuously and only provide you a shallow pool of information which you may already know. In order to avoid any particular bias to a reporting site that may offer you the best option, the recommendation as always is to do your homework and filter out those most important attributes that you want to obtain about the information. Professional social networks such as LinkedIn have climbed in popularity, as essentially it has allowed individuals to remain in contact with individuals whom they’ve had previous experience with. It allows for individuals to insert testimonials where people can share mutual success stories and add dimension around someone’s capabilities which may not necessarily reflect within their posted profile. The buddy system in this scenario works great, but let’s face it – there is always a need when seeking a new potential candidate within an organization to delve further into their past that may transcend to what is presented on the surface of a LinkedIn profile, resume, or reference check. By performing a background check on an individual, you can measure the accuracy of the work experiences, which helps in further validating and providing reassurance to organizations who may potentially heavily invest in a new hire. New hires after insurance, training, and screening can be a very costly exercise and having a process in place whereby you can quickly validate an individual’s background can save a company considerably in matters of liability.
Avoid the temptation of getting any irrelevant information on an individual that you are referencing. It may blur the facts and cost you extra for that juicy bit of information about that person’s past, not to mention even the most legitimate of sites may not be accurate. When registering for such a service, validate the legitimacy of the site that you are considering and check if they have any positive or negative information on them from the Better Business Bureau (BBB).A Another means of validation is to examine the compliancy of the reports. For example, legitimate credit reports should conform to Fair Credit Reporting Act (FCRA)B guidelines, all records obtained related to an individual’s driving records should adhere to the Driver’s Privacy Protection Act (DDPA)C guidelines, and banking information should adhere to privacy measures set by the Gramm–Leach–Bliley Act of 1999.D The combination of adherence to all the appropriate regulations from a reporting perspective, as well as having some measure of testimonial or validation from the BBB and, most importantly, having all the most relevant background criteria (along with price) will ensure that you have made the most educated decision if and when you decide that you need to perform a background check against an individual.
Physical threats within the social media space, whether genuine or not, will remain a visible and growing concern within cyberspace. With the constant threat of terrorism around the corner, we’ve taken many measures to safeguard ourselves already through legislation that allows for simplified methods in which to eavesdrop. Social networks have provided us a wonderful outlet for expression. This expression, as we’ve observed in all the previous chapters, created quite an upstir with families and legislative bodies. As with new things, it is tackled with reservation for some and overindulgence with others. Physical threats may not always be verbal in some cases; it is simply a matter of presence. In accordance to this government survey, the findings indicate that stalking impacts 3.5 million people annually.3 Of that 3.5 million, 850,000 victims (25 percent) indicated in their reports that this stalking had some use with technology. Within a study performed by the US Department of Justice in January 2009,E the National Crime Victimization Survey that stalking behaviors consisted of using technology that sent unsolicited letters or e-mails to victims, or posting information or spreading rumors about the victim on the Internet. What may be confusing is the interchangeable use of words in these types of events, where stalking may be viewed as harassment. In truth, it’s hard to tell at the surface until the offenders actions are more understood, as illustrated in Figure 7.2.
The key takeaway within this study was that one in four victims reported some form of cyberstalking such as e-mail (83 percent) or instant messaging (35 percent) and three in four victims knew their offender in some capacity.5 In its capacity, whether threats are physical or verbal, it’s clear that social media tools will continue to play as a growing contributor toward entering the lives of others, whether willingly or unwillingly.
FIGURE 7.2
Cyberspace Statistics for Harassment and Stalking
Source: 2009 National Crime Victimization Survey for educational purposes only.4
At this point, it should be no big surprise that with more and more people utilizing social networks for both personal use and work that the bad guys are now using the information they gain to cause physical harm to people, their assets, and their company’s assets. Oftentimes, we fail to understand that everyone has an opinion or desire to express themselves. Whether it’s for completing a degree or cheering for your favorite team to express sorrow or gratitude, all of these expressions are etched in a cyberstone-like tablet called social networks which can be very difficult to undo once engraved. What’s often overlooked is the fact that when posting any materials within a social network you have not only forfeited privacy but your ownership. So, pay careful attention to what you place in this medium. Scott McNealy (former CEO of SUN) was reported to have said, “Privacy is dead, deal with it.” Whether you truly believe that privacy is dead or not, it certainly feels as though (when it comes to social networks) it may be on its death kneel.
Our fascination with technology is a double-edged sword. As we push the pedal to our individualism, it has an often unexpected negative recourse to our personal privacy. The Orwellian big brother always watching over us has arrived in sorts, not so much from the presence of government but more so from society with camera phones, SMS, and data plans that connect us to the Web. With encouragement from journalistic sources such as CNN with the opportunity for individuals to contribute not only their views on current events but to provide journalistic content such as still photos, blogs, and full motion video, our culture has become enamored with the way in which news is reported. The fact is that supposedly these postings are not edited materials. While it’s interesting to have on-the-spot news, we must be ever-mindful to the accuracy of such journalism, as it may unknowingly convey bias as result of not being fact checked in a manner which we may be accustomed to. Our manner of expression may not always align to views of others and with that can come indifference, intolerance, or even hostility. While it is in our nature to have some degree of social engagement, the level of visibility and access we have to the world is both an attractant and a concern. Not often are we conscious that the level of attention we are receiving, although good for our ego, can also be quite unpleasant and potentially harming, especially if our contributions contain violent images or physical abuse. You may become a target if you are supportive of acts that are perceived as exploitive, dangerous, illegal, or predatory. Of course, the efficient means of becoming a target to attack is by either advocating or issuing offensive content such as hate speech or materials that may be perceived as ethnically offensive or racially motivated. It is important to remember that this information we are so innocently providing can be easily taken out of context and used to harm us, the ones we love, or even the company that writes our paychecks.
We’ve seen with the various scenarios dealing with physical threats that our ability to run our mouths off is easy, but not as easy as typing it on a keyboard. And we tend to forget that the keyboard is sending information to sites that are viewed by millions of people whom we may or may not know. Remember when your mom told you as a child not to say something you didn’t mean? That is even truer now. Once we have posted or shared the information on a social network, we may or may not be able to take it back because once it’s there we may no longer own it.
Laws are now quickly adapting to cyberspace and social media outlets, and while our comments are often in jest or mere internal frustrations, there’s no guarantee that someone on the other side will interpret it that way. Familiarity is common characteristic within many of the ordeals of social networking threats and reinforces the need to take precautions prior to allowing those into your social circle. Until greater precaution is undertaken by the individuals to safeguard themselves from those who prey on others. Physical threats will remain a concern given our increased visibility through social media. As we take instinctive caution on how we approach or are approached by perfect strangers, the same manner of precaution and reserve should be considered when engaging a wider audience found within social networks. Despite the distances, the ability to cause harm is merely a keystroke and mouse click away.
Don’t forget: the next time you decide to post about the awesome new project you are working on at the office or that cool Disney vacation you are getting ready to take your family on, you are giving strangers information they can use against you and the ones you care about. It’s pretty simple: if you wouldn’t tell the information to a stranger on the street, avoid posting it.
1. www.darkreading.com/blog/archives/2009/12/using_facebook.html
2. www.everyjoe.com/articles/ct-student-arrested-for-anti-snitch-warnings/
4. www.ncvc.org/src/AGP.Net/Components/DocumentViewer/Download.aspxnz?DocumentID=45862
5. www.ncvc.org/src/AGP.Net/Components/DocumentViewer/Download.aspxnz?DocumentID=45862
Bwww.ftc.gov/os/statutes/fcra.htm
Cwww.transportation.wv.gov/dmv/Manuals/.../DMV-OptIn-Brochure.pdf
Dwww.ftc.gov/privacy/privacyinitiatives/glbact.html
Ewww.ncvc.org/src/AGP.Net/Components/DocumentViewer/Download.aspxnz?DocumentID=45862
