This is the first in a series of articles on Blogsecurify regarding the security of social networks and social media. In this article I will specifically talk about exploiting trust in social networks. My interest in social network/media security started several months ago when I put together a presentation on what many believe in the security community as the "top 5" threats to social networks. You can read more about the presentation on my blog, spylogic.net.
The threats we will discuss in this article are "evil twin" attacks, cyberbullying and cyberstalking as they relate to the trust model of social networks. Lets be honest, it's trivial to exploit trust in social networks. Why? There is no form of real authentication on any social network such as Facebook, MySpace, LinkedIn and Twitter (to name just a few). You can impersonate anyone, become someone new or hijack the profile of another existing user with very little skill. Create a profile, make up an identity to include birth date, relationship status, goals and dreams. Guess what? You are welcomed into the community with a complete profile that was never authenticated or verified as real. This can lead to leveraging and exploiting multiple levels of trust for malicious purposes.
Interestingly enough the only thing to deter you from creating a fake profile or assuming the identity of someone else are the "terms of use" of the various social media companies. Most state that you must be a real person and you can't impersonate someone else. Take the Facebook terms of use for example:
"You agree not to use the Service or the Site to...impersonate any person or entity, or falsely state or otherwise misrepresent yourself, your age or your affiliation with any person or entity..."
Problem is...since when do attackers follow policies and terms of use?
The "evil twin" attack is where an attacker takes on the persona or identity of a real person. This real person could be a celebrity or someone like a CEO or CFO of a major corporation. Becoming the identity of the victim gives you access to friends and associates that now trust you since they think you are that person. Once you have access to a high value target profile you can potentially have access to lots of personal information...information that in some cases could allow you to conduct a password reset attack with the victims web mail account (like what happened to Sarah Palin) as one example. It would be even more advantageous using this profile to target the victims friends as well. Why not...they trust you right?
Further manipulation of trust relationships leads to a whole slew of social engineering scenarios with various goals that an attacker could accomplish. The list may possibly be endless as the only limit to these types of attacks is the creativity of the attacker. Keep in mind that social engineering used as a way to attack people on social networks is not new by any means. Take for example the recent highly publicized Megan Meier "cyberbullying" case where an adult female posed as a teenage boy to literally destroy the life of another teenager. Megan committed suicide because of an attack that took very little skill to complete, yet had a life ending impact to the victim. We also see many different stories of cyberbullying/stalking in the mainstream media. Teens picking on teens, harassment of teachers, sexual predators, as well as manipulating relationships to damage the reputation of others are popular trends. The list goes on and these problems are only getting worse.
If you are reading this you are most likely in the security community and you "get it". You know not to trust anything or anybody on the Internet let alone social networks with your personal information. If you do allow access to your personal information then you probably know the risks and accept them. However, the people not reading this article are the ones that "don't get it", and we are talking about the majority social network users. This includes your non-security friends, family and the general public.
So why don't the various social networks do something about this and educate their user base? The social networks will never promote using social networks safely. Why? Because the more information you share with them, the more valuable you are! It was estimated a few years ago when News Corp purchased MySpace the average user of MySpace at that time was worth approximately $27 each! Could you imagine the financial impact to the social network companies if every user started to lock down or not give away private information contained in these networks?
I'm not suggesting to not use social networks but the key here is for us to educate the users of social networks that "don't get it". They should know that any information posted should always be considered public and if you do need to share personal information be very cautious about posting it. Trust in social media? There is no trust, this trust is implied and given.
At the end of this month (ironically October is security awareness month) I will be releasing a Facebook Privacy & Security Guide which documents the recommended privacy and security settings you should use while still being able to use the "social" aspects of Facebook. I also include tips that can be used with any social media application to enhance your security and privacy. The guide is short and easy to distribute. I encourage it to be shared with those that "don't get it". :-)
The next article in this series will talk about the security (or lack of security) of applications, widgets and anything else that can be added by a third-party to social network profiles.
The "evil twin" attack is where an attacker takes on the persona or identity of a real person. This real person could be a celebrity or someone like a CEO or CFO of a major corporation. Becoming the identity of the victim gives you access to friends and associates that now trust you since they think you are that person. Once you have access to a high value target profile you can potentially have access to lots of personal information...information that in some cases could allow you to conduct a password reset attack with the victims web mail account (like what happened to Sarah Palin) as one example. It would be even more advantageous using this profile to target the victims friends as well. Why not...they trust you right?
Further manipulation of trust relationships leads to a whole slew of social engineering scenarios with various goals that an attacker could accomplish. The list may possibly be endless as the only limit to these types of attacks is the creativity of the attacker. Keep in mind that social engineering used as a way to attack people on social networks is not new by any means. Take for example the recent highly publicized Megan Meier "cyberbullying" case where an adult female posed as a teenage boy to literally destroy the life of another teenager. Megan committed suicide because of an attack that took very little skill to complete, yet had a life ending impact to the victim. We also see many different stories of cyberbullying/stalking in the mainstream media. Teens picking on teens, harassment of teachers, sexual predators, as well as manipulating relationships to damage the reputation of others are popular trends. The list goes on and these problems are only getting worse.
If you are reading this you are most likely in the security community and you "get it". You know not to trust anything or anybody on the Internet let alone social networks with your personal information. If you do allow access to your personal information then you probably know the risks and accept them. However, the people not reading this article are the ones that "don't get it", and we are talking about the majority social network users. This includes your non-security friends, family and the general public.
So why don't the various social networks do something about this and educate their user base? The social networks will never promote using social networks safely. Why? Because the more information you share with them, the more valuable you are! It was estimated a few years ago when News Corp purchased MySpace the average user of MySpace at that time was worth approximately $27 each! Could you imagine the financial impact to the social network companies if every user started to lock down or not give away private information contained in these networks?
I'm not suggesting to not use social networks but the key here is for us to educate the users of social networks that "don't get it". They should know that any information posted should always be considered public and if you do need to share personal information be very cautious about posting it. Trust in social media? There is no trust, this trust is implied and given.
At the end of this month (ironically October is security awareness month) I will be releasing a Facebook Privacy & Security Guide which documents the recommended privacy and security settings you should use while still being able to use the "social" aspects of Facebook. I also include tips that can be used with any social media application to enhance your security and privacy. The guide is short and easy to distribute. I encourage it to be shared with those that "don't get it". :-)
The next article in this series will talk about the security (or lack of security) of applications, widgets and anything else that can be added by a third-party to social network profiles.
Posts
2 comments:
So, in the end, it’s up to the parents. You want to keep your kids safe? Know what they are doing online. And, as luck would have it, there are tools to help you know exactly that. Check out our monitoring software PC Pandora. Until parents have the knowledge of what is happening in their kids’ online lives, they are powerless to do anything about the situation.
I think Social Networks can make use of Digital Signatures someday in order to prevent evil scenarios.
I can imagine the following solution. Facebook or Twitter asks you to sign your ID there, and then they will publish the output in somewhere on the site. People who knows you and your public key can make be sure that it is your account by checking such signature.
But the problem here is that Digital Signatures and PGP keys are not so common especially among normal users.
Post a Comment