Shostack + Friends Blog Archive


Privacy and Security are Complimentary, Part MCIV

Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency.

In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google workers:”

Personal friends of employees at Google, Adobe and other companies were targeted by hackers in a string of recently disclosed cyberattacks…The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.

If friends lists were not being aggregated, this attack would have been harder to execute. How much harder is tricky to judge without more information about possible attack vectors.

Also, this is a nice example of the sort of externality that Facebook imposes on the networks of their users. Because Facebook exposes the fact that we’re friends, I have to treat communications from my friends with more suspicion.