Cyberstalking

Make no mistake: this kind of harassment can be as frightening and real as being followed and watched in your neighborhood or in your home.

—former Vice President Al Gore¹

¹1999 Report on Cyberstalking: A New Challenge to Law Enforcement and Industry, Department of Justice, August 1999, http://www.justice.gov/criminal/cybercrime/cyberstalking.htm.

Cyberstalking is using the Internet (or other electronic media) to harass individuals, groups, or organizations. Cyberstalking can manifest itself as threats, accusations, identify impersonation, and sexual solicitation. Social media allows for these types of attacks to be mounted anonymously and to spread quickly across multiple networks.

Many of these attacks cause extreme personal distress to the individuals being targeted, in some cases even resulting in suicide (as in the case of Megan Taylor Meir, October 2006, the thirteen-year-old girl who was cyber-bullied on MySpace). In 2010, two teenagers in Pamlico County, North Carolina, were charged with a class 2 misdemeanor for cyberstalking their principal through a fake Facebook profile they created. The ensuing negative press, national coverage, and legal fees caused significant disruption that could be measured in the tens of thousands of dollars.

By tracking search results, forums, discussion boards, chat rooms, e-mail communications, instant messages, and the many social networks, identifying the source of the threat is possible. Many states have implemented cyberstalking laws: California, which was the first state, was followed by Alabama, Arizona, Connecticut, Florida, Hawaii, Illinois, New Hampshire, and New York. Unfortunately, prosecution at this time has been extremely lax and many perpetrators go unpunished.

Commonsense rules play an important role in protecting against cyberstalking. Since the Internet makes being anonymous so easy, knowing who the stalker is and where he or she is coming from is very difficult. An expert might be able to track down an IP address, but even that can be easily hidden with anonymous proxies. The ease with which attackers can create fake profiles, send fake requests, and take over other people’s identities has made it much easier to gain information about victims without too much fear of being found out.

NOTE

A complete list of government resources and filtering technologies can be found in the resources section of our website, www.securingsocialmedia.com/resources. To find state laws, check the site for the National Conference of State Legislatures at http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/CyberstalkingLaws/tabid/13495/Default.aspx. Other sites include QuitStalkingMe.com and WiredSafety.org.

Corporate Cyberstalking

Attackers can use completely legal means to gather information about their victims because that information is freely given on social media sites. Cyberstalking doesn’t have to be personal; it can also be used against corporations. If your competitor wants to know what clients are taking sales meetings with you, they might track down your sales teams on LinkedIn and see if they’ve “checked in” at or close to a customer’s site through Facebook or foursquare, or even track their travel patterns through TripIt, Dopplr, and other social travel services. Stalkers can find a lot of information about your sales team’s activity. So what are some steps a corporate attacker actually takes to stalk your company?

1. Company information Identify employees at the target. The easiest way to do this is with LinkedIn and Google searches.

2. Personal information Once you know the names of employees working at the target company, find out as much about them as you can on Facebook, Twitter, Flickr Blogs, MySpace, YouTube, etc. You can pull their e-mails, friends’ names, pets’ names, children’s names, schools they went to, and so on. Some folks will even accept a friend request. How many people still use a pet’s or child’s name as a password? When Gawker Media was hacked in December 2010,² the passwords were cracked. As you can see in Figure 5-3, some really simple passwords were being used, including “password.”

²“Gawker Hack: Hacked Database Compromises User Data,” Huffington Post (December 12, 2010), http://www.huffingtonpost.com/2010/12/12/gawker-hack-hacked-databa_n_795613.html.

Figure 5-3 Easy-to-hack passwords

3. Locate employees Find out where the employees hang out using Facebook Places, SCVNGR, Google Latitude, Loopt, Gowalla, foursquare, and other geolocation services. They might be with a customer and checking into the customer’s office!

4. Correlate information Use one of the numbers of social media tracking tools to continue to gather information about the competitor or employee of the competitor. Some tools include Seesmic, Social Mention, Addict-o-matic, HootSuite, Lithium, Radian6, IceRocket, CustomScoop, to name just a few.

5. Cross the line If you want to cross the line, you will have gathered enough information to get login e-mail addresses and probably enough information to guess passwords to accounts. A real cyberstalker will definitely cross that line.