Welcome to the new year and new semester! I hope everyone’s holiday time was good, restful, and productive. With the spring semester here, the work begins anew in 2025. What better way to kick off the new year (cybersecurity-wise) than to celebrate Data Privacy Week? Data Privacy Week is January 27-31 this year. Look for a bonus article during that week addressing data privacy. For now I want to present a somewhat novel topic here in the newsletter, one that affects everyone from students to faculty to staff to alumni to retirees. Almost all of us have social media accounts, but I’m not here to harp on the need to be careful about what (and when) you post to social media. We’ll talk about that later in the month.
Social media includes many sites dedicated not to sharing our latest personal news, but to sharing on a professional level. One of these sites is LinkedIn. The college has an agreement with LinkedIn Learning to provide training courses across a wide range of topics, but I am focused today on the professional profile side of LinkedIn, where you can tout both yourself and your company to others on the site and to the public at large.
Many of us have created and updated our LinkedIn profiles, keeping others up to date on our position progress, promotions, training, location, and other semi-sensitive items. This profile activity allows for a fairly novel type of information “scraping”. There are now several web services that scrape LinkedIn and other social-media style professional websites to create unofficial organizational databases for companies under the guise of lead generation.
The first one I encountered was TheOrg.com. It promotes itself as a tool for candidates, companies, and professionals, with pricing plans that allow for free accounts (geared toward individuals and candidates) up to enterprise plans that essentially allow for unlimited aggregation of data from LinkedIn and other sites to help headhunters and recruiters find jobs for candidates and ostensibly any company to “promote” itself. What is actually on the site when you look up a company that doesn’t have an account with TheOrg is an inaccurate and misleading organizational chart, inaccurate company details, and laughably inaccurate “teams”. For fun, go to TheOrg and check out what they have on Berry College.
The second and more insidious site I found was RocketReach. This site does more than attempt to scrape and create org charts. It reveals to paying customers contact information scraped from the Internet, and reveals partial contact information to the public, including most of the telephone number and domain names for known email addresses for people in the organizational charts. Again, these charts are inaccurate and incomplete, as is potentially some of the contact information. The primary customer of RocketReach is in either sales or recruiting, as it bills itself as a “lead intelligence” provider.
Now to be perfectly clear – neither one of these sites is doing anything illegal as far as my non-lawyer self can determine. They are simply scraping, aggregating, sorting, and presenting (for profit) company and employee data based on limited and already public information. However, the aggregation and inaccurate rendering of company information (and at times, information intended to be personal) borders on invasive, opportunistic, and (dare I suggest?), creepy. Their efforts are particularly ineffective and inaccurate for educational institutions like Berry, as many student work positions get included in their employee org charts based simply on the title of the position. This results in inaccurate data, which doesn’t just hurt their reputation, but potentially exposes information about employees and students in a “public” forum in which they did not intend to present themselves.
Thankfully, you can request to be removed from these and other sites, but this generally has to be done on a site by site basis. Each site has their own method for requesting removal. This is a link directly to the opt-out form on TheOrg. Realize that they must retain your business email address to continue to exclude you from their system. This article describes how to remove yourself from RocketReach. The process has actually changed a bit since the article was posted, as you now have to create a free account to remove your data from the site.
There are many other sites like these, built for a variety of different purposes, and it is nearly impossible to stay out of their databases, but there is some help for this. DeleteMe and Incogni are two services that help you stay out of online databases. Granted, to help you do this, you have to submit your data to them, but they both have generally solid reputations. They are not free services, of course, but DeleteMe offers what it calls DIY Opt-Out Guides on their site in case you are unable or unwilling to pay them to remove your data.
If you’ve ever received an email or a phone call from a company you’ve never heard of or had any contact with, particularly in connection with a sales pitch or job opportunity, you can pin that on companies like TheOrg and RocketReach. And while those calls may be perfectly on-the-level, most other calls like this are social engineering attacks, something we will address in the article posting the week of the 27th. We’ll also provide an updated list of resources to help you manage your privacy settings and keep yourself more secure while using the Internet.
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! Avoid using “unsubscribe” links and report spam via the “Report message” button, just like you would a phishing email.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell me how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the website.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted, like Cybersecurity Awareness Month.
Food For Thought
The devastation caused by the fires in Southern California has been apocalyptic. I know our hearts go out to everyone affected by this tragedy. But the strong winds and out of control fires gave us a glimpse at one of the most disturbingly beautiful (or frightening) manifestations of nature’s power – fire tornadoes. WARNING: The video not only shows these terrifying funnel clouds, but also the devastation of the city, so if images of this nature cause you distress, please don’t start the video. You can consider yourself “done” with the newsletter.
October News from Information Security
