The Worst InfoSec Resume, Ever

I do quite a bit of InfoSec résumé reviewing and critiquing, both personally and professionally, so I’m repeatedly asked for tips on common problems. In order to ensure that these problems were not exclusive to me, I recently had a lengthy discussion  with a number of InfoSec professionals involved in hiring (thank you!). We discussed our “top 10” pet peeves when reading candidates’ résumés.

So without further ado, here is an illustrated example of some common problems we see on many résumés, and some suggestions about how to fix them.

(If these images are hard to view on your phone or at a specific resolution, you may click them to view them full screen.)

file-page1

file-page2

The Top 9 Ways I Found Your ‘Secret’ Dating Profile

  1. You reused a cute username (or email address).

Aliases and usernames have become a big part of our personal online presence, and we often feel tied to them when we register for new sites and services. This can be a great was to build an online identity, but it can also make it trivial to tie our activity on various services together.

Even if your registered username isn’t immediately visible in a dating profile, it’s often visible in the URL of your profile, your profile photo filenames, or during communication with other users.

There are plenty of free and paid services which search and monitor social media and email accounts by username. Pipl is a great example. It will rapidly scan popular sites and services for email addresses, usernames, names, and phone numbers to build a comprehensive profile of a person.image002

Namechk.com performs a broader sweep of services for usernames only, immediately flagging services where a particular username has been registered. This is an easy way for someone with malicious intent to draw connections between a dating site profile username and your ‘real’ life, even if your profiles are correctly private or hidden.

image004

The very simplest, a Google search will often turn up social media profiles, forum posts, and blog comments tied to a particular username. If you’re concerned about dating site matches finding your online presence, or people online finding your dating profile, just don’t reuse usernames or email addresses!


 

  1. You reused profile pictures.

A few years ago, image recognition on a large scale was restricted to law enforcement and corporate security. This isn’t true anymore. Free services like Tineye and Google Images will search billions of indexed images on the internet for identical or similar pictures. This isn’t necessarily traditional hash or metadata specific – cropping or resizing an image is not a foolproof way to defeat this (as I show in the screenshot below, where Tineye and Google correctly identified my profile selfie which is substantially cropped on social media). The photos are visually similar enough that the search engines’ algorithms can draw a connection.

image006image008

Ultimately, this means that if you are interested in privacy, you should never reuse a photo or set of photos that you’ve used elsewhere on the internet (at any time) on your dating profile. Choose where to use your glamour shots, wisely!


 

  1. You forgot to check and sanitize your pictures.

Reuse isn’t the only situation in which photos can compromise your privacy. There are two sets of clues that can give away important personal information in your photos. The first are old-fashioned visual clues. Consider: is there a window in your photos, and are there identifiable buildings or landmarks outside of it? Were your photos taken in an apartment building or dorm that can be easily identified in other people’s photos? I highly recommend reading this eye-opening blog on the subject by IOActive. Give some thought to what people can see in your photos’ backgrounds before posting them to your private dating profile.

The second way your photos can betray your privacy is a bit more technical, but still terribly important to recognize. It has to do with hidden information, or ‘metadata’, which is tacked onto most pictures by phones, photo editing software, and digital cameras. You can’t see EXIF metadata without using special tools, but it may contain startling amounts of information about where the photo was taken, by whom, and when. This exists primarily to help out professional photographers and photo storage tools.

image010

I took this pretty photo at Disney World. Let’s look at some of the data hidden inside of it:

Create Date                     : 2016:02:20 20:01:04
Make                              : Samsung
Orientation                     : Horizontal (normal)
Flash                               : No Flash
Focal Length                   : 4.3 mm
GPS Position                   : 28 deg 21′ 27.100″ N, 81 deg 33′ 29.71″ W

Even with location geotagging disabled in your camera settings, metadata still provides a tremendous amount of detail about you and your devices, and can even uniquely identify photos taken with your camera. (The use of photo editing tools also becomes blatantly obvious, which can be a cause for some embarrassment.) Ensure you remove identifying metadata from photos before posting them onto your dating profile.


 

  1. You forgot that the internet is forever.

If I were forced to pick only one error which causes dating site members the most personal embarrassment over the long term, it’s forgetting this. A single mistake made months earlier can haunt you. Let’s imagine that before reading this article you uploaded your professional headshot to your dating site profile. You realized a few days later that it was too much of a privacy give-away, and made the wise choice to switch to a new photo. You might not be out of the woods.

Search engines and archive sites are continually indexing as much content as they can from the internet. These sites retain cached copies of images and pages long after they are changed or erased at the original source.

Somebody with malicious intent may use this to their advantage when trying to correlate your dating profile to other web content. He or she will very likely check search engine caches for old pictures or bios that are easier to identify or contain embarrassing details. If that professional headshot is still in a cache associated with your dating profile, he or she can use Tineye to match it to your corporate bio that shares the same photograph. If you’ve changed your username, he or she may be able to find the previous version.

Unfortunately, this isn’t an easy thing to fix after the damage is done. The bottom line is: assume that anything posted to the internet is perpetual, and usually cannot be removed (even through legal action). If you post data which compromises your privacy or reputation to your profile, remove it immediately and consider starting fresh with an entirely new profile. If needed, pursue sites and search engines to remove what they can and will, and disassociate your online identity as much as possible from the content.


 

  1. Minor details tell a larger story about you.

This is open source intelligence 101. The individual facts and conversations you post on dating sites might not give away your identity, but as a collective whole, they may. Give some consideration to how much information you’re giving other users over time and as a whole. Did you post that you live in Milwaukee, tell a user that you live in an apartment with a pool, and tell another that you live next to an airport? These pieces of information put together say a lot more about your location than they do individually.

image012

Pay attention to details. How much information have you posted on your profile over time as you’ve updated it? How much information are you providing in private conversations with other users?


 

  1. Your social media profiles aren’t private enough.

The number one open source intelligence source that people with evil intent will try to use against you, or to identify you, is your social media profiles. You make a malicious person’s life significantly more difficult by simply locking down your social media profiles so that nobody except people you know personally can view them, or that the data that is publicly visible is not enough to provide the attacker an advantage.


 

  1. You joined your social media profile to your dating site account.

We’ve previously discussed the privacy risk posed by sharing photos, usernames, and email addresses between your private dating profile and the rest of your online presence. Linking your social media accounts may be a simple and timesaving way to create an account on many dating sites and apps, but these sites frequently import most of the data we’ve discussed above directly into your dating profile and account. Given all the points we’ve discussed previously, this is obviously not a wise choice.

I highly recommend using an entirely new and separate email account to sign up for a private dating profile. If the site in question absolutely requires linking a social media account, start a new one without unnecessary personal details.


 

  1. You forgot that social engineering (and catfishing) happen, and can happen to you.

No matter who you are, which gender you are, what you do for a living, or how much money you make, you can be a target for fraud or social engineering. Somebody who wants to manipulate or identify you on a dating site may attempt to gain your trust before drawing you into a trap. If something doesn’t feel right, it probably isn’t. If something seems too good to be true, it probably is. Be very cognizant of members leading you into revealing unusual personal details, compromising photos, or financial information. Dating sites are fair game to cyber-criminals.


 

  1. You weren’t aware that you were accepting risk.

Dating online, like the rest of our lives, carries some inherent risk. The level of risk associated with joining a dating site and interacting with others on that site varies by each individual’s situation. For example, this risk may be to your reputation if your profile (or behavior with other users) were publicized, or to your personal safety if your location or identity were compromised.

Online dating is a great option for many people and many healthy relationships exist today because of it. You must simply consider what level of risk you’re willing to accept before doing it. Even if you are meticulous in protecting your online presence, there will always be circumstances outside your control. What would the consequences be if the site were breached, and your identity and interactions were posted online or sent to your employer or family? If somebody successfully identified you, how easy would it be to find your street address or place of business? Like any other activity that carries some significant risk, you must consider these types of questions and make your own informed decision.