Tuesday, April 30, 2013

Your Neighborhood Online, Good or Bad Idea?


I ran across this site Nextdoor.com, it is another social media site with one difference. “Nextdoor is the private social network for you, your neighbors and your community. It's the easiest way for you and your neighbors to talk online and make all of your lives better in the real world.” The idea is that only people in your real neighborhood can join. Out of curiosity I started looking around the demo site and started to think, this sounds like a terrible idea.

However, in my opinion this starts to go wrong very fast.  A quick Google of site: nextdoor.com already starts to produce some interesting results. The first and second page reports results such as the West Briar, Pointe Marin, Covie Hill and Bent Creek. Clicking these links will take you to a login page where you can get a little more information about the neighborhood, such as the city, state and an outlined map of the neighborhood.


Figure 1

Okay, so what’s the risk? First the “bad guys” already know the city, state and the neighborhood. Another quick Google search results in finding an invite page where you enter your address and thanks to the mini map and some more Google it is easy to find an address within the outline.
  

Figure 2


The next step is an address verification page. The site requires either a credit card for checking the billing address, a mobile number they can call or they can send you a postcard in the mail. I won’t get into the other worries that some of those options might cause, but it looks like they are trying hard to protect the people using the site, but is that enough? And can it be easily circumvented?

What if someone simply gets into a valid account, (we don’t care about how at this moment it happens every day to many sites.) could an attacker use any of the data or information to their advantage. The demo site shows us that there is a lot of information ripe for the picking.

The site is a standard social media site. You have maps, an inbox, events and a neighbor’s button, the exception here is the site really wants your physical data as well and it becomes a data gatherers dream. Clicking on a user shows some useful information, obviously it is up to the user on what to display.  With the data in figure 3 an attacker could start looking to impersonate that person, or use the data to gain access other accounts via password resets or challenge questions like “what is your dog’s name, what is your oldest child’s name”  

Figure 3

As we go deeper into the site we start to see more information that could be valuable or even deadly. The personal risk you accept is huge; one of the best things about the internet is if you’re careful someone finding you in the real world is a little bit challenging.   

Figure 4


This example on the demo site shows a user asking for a baby sitter from 4-10 pm, and other users posting phone numbers to great baby sitters. This of course is incredibly helpful for the person needing the sitter. But, what does it tell the bad guys? Mom or Dad won’t be home from 4-10, the name and number of the babysitter, the kids are older most likely between the ages 7-12. That information could be valuable to any person who wants to use it to their advantage.  Did this home just become a possible target for a personal attack, a robbery, an angry boyfriend of the babysitter, or that creepy person down the street that nobody talks to? 

It is your job to decide if this information is secure, and okay for display to the public. No matter what the claims of privacy there are, assume someone you don’t want seeing this information will see it.  Above all else protect your family and yourself, and maybe just maybe actually go outside and talk to your neighbors. Finally, another important item to consider when signing up for this type of site is: Do they care about security? In looking at the current job posting they are hiring a lot of developers and none of the requirements of any of those posted are for “secure coding practices”.  Hopefully, that is asked during the interview process.

1 comment:

  1. Thank for confirming what I had thought when I saw the 20/20 piece. Just because you may have some great neighbors, doesn't mean you don't have any scathy ones!

    ReplyDelete