LisaVaas

Thanks for Sharing

by Lisa Vaas (LisaVaas) on 20-10-2011 06:00 AM

Google Alert, Sun, Sep 25, 2011, 12:58 a.m.: Lisa Vaas Facebook Twitter & MySpace on PeekYou

“Looking for Lisa Vaas?” the link asked Lisa Vaas. “PeekYou's people search has 2 people named Lisa Vaas,” it said, and assured Lisa Vaas that Lisa Vaas can find Lisa Vaas’s contact info, photos, links, family members, and more.

It was true, or, at least, given some outdated information, true-ish. Female, 49 years old, Jamaica Plain, Massachusetts, USA, etc., etc., etc. The sources: Other information aggregators (PeopleSmart, Spokeo, US Search, mylife.com, et al.), public records (including property deeds and phone listings), social media sites (MySpace, neighborsforneighbors), blogs, homepages, news articles, and other links to public activity on the Internet.

While much of that personal information comes from public records, way too much comes from social media.

Are we sharing too much on social media? Of course we’re sharing too much on social media.

And okay, granted, information aggregators such as PeekYou aren’t doing anything illegal.  (Unless they’re Web scraping. Which PeekYou says it doesn’t do. The jury’s still out, or, rather, the jury is still tossing around the legality of Web scraping, with cases percolating all over. Check this Wikipedia listing for legality issues.)

But information aggregators’ data bundles do point out how extraordinarily easy it is to find information about us, and about our companies. When it comes right down to it, we tend to share more intimate details on social media, as if it’s some kind of clubhouse to which only our BFFs know the password.

Given that online behemoths like Google are aiming to turn into banks and to get  ever more snuggly with personal data, it’s worthwhile to check in on how the landscape is evolving and what threats social media—especially a “I want to be your bank” Google—might pose to businesses.

Herein, scary factoids, plus input from the infosec crowd on how we, and our businesses’ users, should electronically shut up.

Obligatory scare factoids

Out of the 107,439 incidents reported to US-CERT in 2010, more than half were phishing attacks. That’s a big item, and beyond making social engineers some coinage, it’s also costing somebody. Check Point Software Technologies recently surveyed 850 businesses, and 48% said they’d been hit by some kind of social-engineering sting over the past two years, with each incident reportedly costing between $25,000 and $100,000 in business disruptions, customer outlays, revenue loss, and brand damage.

“We’re seeing use of social media to collect intel that gets translated into fairly intelligent, well-crafted spear phishing attacks,” says Anup Ghosh, Founder and CEO of Invincea, which markets Invincea Browser Protection—a kind of browser condom that virtualizes Web browsing, sealing users off from swapping electronic bodily fluids with infectious scammers. Instead of an in-house system getting infected by unsafe browsing, only the virtualized environment gets infected, and that can be diagnosed and cleaned up. “We are seeing a lot of [these attacks],” he says. “Today, when you talk to people who do incident response and remediation, the people who clean up after infection, they’ll tell you over 90% of infection vectors come in thru spear phishes.”

The best sources are social media outlets like LinkedIn, Facebook, or Twitter, Ghosh says. “They’re great places to start to gather info about what your target does, what their role is, who are the people they’re connected to, and then to even try to join their group.”

If you were to target a large computing company, for example, say, if you wanted to grab its 10K public filings before they were released publicly, well, that info is very proprietary, Ghosh says.

So you’d want to target the CFO’s office. How do you find who that is? You might look at public records, or perhaps you could go to LinkedIn, do a search on the (Company Name) CFO, or even better, (Company Name) finance. “You’ll likely find someone in that office,” Ghosh says. “So now you have a target. Then it’s just a matter of sending a crafted e-mail to that target that convinces them to click on a link or open an infected attachment. After that, a spear phisher can get on the target’s machine.”

One of the most spine-tingling recent phishing attacks and counter-attacks, one packed with Hollywood plot-twisting, was the story of HBGary Federal’s Aaron Barr. That story entailed Barr’s claims of socially engineering his way into the hacktivist Anonymous group. Anonymous subsequently social-engineered a counterattack, apparently by spoofing a request for a password change that HBGary Federal swallowed hook, line, and sinker. Anonymous gained control of HBGary Federal’s site;  hacked into its e-mail server (for which Barr was the admin); watched communications, undetected, for 30 hours; extracted over 40,000 e-mail messages; and posted those e-mails on The Pirate Bay. (Ars Technica’s Nate Anderson does the full story proud.)

Barr’s premise for selling his firm’s services to government outfits was that, as Ars Technica’s article quotes him as saying at a closed Department of Justice conference earlier this year, he had "specific techniques that can be used to target, collect, and exploit targets with laser focus and with 100% success" through social media.

His theories involved first scraping sites such as Facebook or LinkedIn to then draw conclusions, such as identifying a person’s town of residence by assuming they likely live in the same town as the majority of their friends. Barr extended the rationale to identify hacktivists by analyzing information publicly displayed by people who his research told him (perhaps erroneously), were the hacktivists’ friends and family.

Although Barr’s bravado cost him, his techniques were sound. Lots of people do post lots of personal information on social media sites. If even a small fraction of the lines Barr drew between his targets and the personal information put up by their friends and family were accurate, it means that personal data on social media translate into quite a lucrative means of acquiring bait for spear phishers. 

Why scarysharing is morphing into super-scarysharing

We trust Facebook and Google with our personal data, despite regular manifestations of their infrastructures’ security flaws. One such was the 2008 Facebook birthday bug, discovered by Sophos’ Graham Cluley, which concerned a new profile page ignoring privacy settings and inadvertently bleeding members’ birthday data. Another was the DigiNotar fiasco, which entailed a falsely issued Google SSL certificate in the wild for more than five weeks and resulted in 300,000 compromised Iranian Gmail accounts. And then there was DroidDream: 58 malware-carrying applications Google removed from its Android Market in March, some designed to reveal users’ private information to a third party, to replicate onto other devices, to destroy user data or to impersonate the device owner.

As Lookout Mobile Security CTO Kevin Mahaffey (per LinkedIn: BS, U of SoCal, Electrical Engineering, Summa Cum Laude!) told NetworkWorld, DroidDream allowed malware to "break out of the security sandbox on Android," which, he said, "you're not supposed to be able to do."

MacAfee’s Director of Security Research and Communications Dave Marcus (per LinkedIn: David Marcus. Location: Washington D.C. Metro area) said the malware was significant because the apps lived in the official Android marketplace, not some third-party slum marketplace. If such malware can break out of the typical sandbox in which most apps reside, it can potentially gain control over the entire device and its data, he said. “In terms of attacks and malware, it doesn't get any worse than root access, which this malware has," McAfee told NetworkWorld.

The threat level is bound to increase beyond the current dangers of phishing, given that Google chairman Eric Schmidt recently admitted the company intends to be an “identity service"—read “bank,” according to Dave Winer, who points to the real reason for the real names policy and why Amazon is stockpiling cash.

Meanwhile, Google+ traffic jumped 13-fold when it opened up to the general public in September. More people, more data, more phishing bait. We’re evolving to a point where we’ll use our smartphones as wallets, and companies like Google and Amazon are positioning themselves to be at the fulcrum of that shift. 

Are they secure enough to trust with our personal data? With our financial data?

How the social media sites could help us out a little, here

Graham Cluley, senior technology consultant at Sophos, (per PeekYou: Male. Age: Unknown. Location: Oxford, England. Spokeo: “No results found!”) is an expert at worrying about the junk people put online, how scams operate on social media, and how places can’t necessarily be trusted with the security/privacy gates the social media sites put in place.

Not that they don’t get some things right. Google+’s circles allow users to cherry pick who sees what, the company having learned from the grief that Facebook got over this issue, Cluley points out. Another smart move: Google turns on HTTPs by default.

What he’d “love to see,” though, is Google putting in additional security for business brands, Cluley suggests. A good step would be an additional level of authentication, other than user names and passwords. “Thirty percent of people use the same password everywhere,” he says. “We know that. We need an additional level of security for when people are silly with passwords.”

“There’s never been the ability to use Google+ without SSL, to prevent people snooping at cafés,” Cluley says. “So that’s terrific. But it’s still down to individual users and how safely they use social networks. And when you put a lot of eggs in the Google basket, what happens is you end up using one password, and that one password unlocks Gmail, Google+, Picasa, Google Checkout, all these things.”

By turning on two-factor authentication, Cluley has ensured that to get into his Gmail account, he has to have a physical gadget—his phone—as well as a user name and password. After all, user names and weak passwords (i.e., pets’ names, spouses’ names) can be guessed, either by brute-force/automated dictionary means or personal information clues scraped together from social media.

After logging in with a user and password, Google also sends him a text message he has to retrieve from his cell phone. To log in, a phisher must not only have guessed his user name and password but also needs access to his phone—an unlikely scenario, for sure. (For the strongest passwords, Cluley and others recommend coming up with a unique phrase and then using just the first letters of each word, mixing them up vis-a-vis upper- and lower-case and leetspeak-ifying it. Here’s a video on how it’s done.)

Now, what Google needs to do is port that two-factor authentication to business brands, Cluley says. Then he’d rest easier about the security of at least one of the social media giants.

And then there’s Facebook

There are lots of things that scare Cluley about Facebook, including the endless stream of scammers that live in its ecosystem. Another issue is the fact that Facebook doesn’t make it easy for a business to secure its page.

Sophos itself has a popular Facebook page, the only thing protecting it being a user name and password. “Frankly, the thought of it is terrifying to me,” Cluley says. He has half a dozen admins on that page. If any of them gets hacked, it could potentially cause problems in front of 20,000 people.

“We’ve put measures in place to reduce the chance of that happening,” he says. “But it’s not something Facebook makes easy.”

As it is, any one of his six admins can boot off any other admin. If hacked, the compromised account could kick out all other admins. Here’s a video where Cluley shows how Facebook fan pages can get hijacked, in spite of Facebook’s incorrect claims that original admins can’t get bumped.  The Internet has hundreds of stories of woe from users who’ve lost their pages in this way.

Sophos deals with it by not allowing its admins to use their personal Facebook accounts as Sophos admin accounts. That way, if an admin uses his personal page for fun or personal whatevering, no harm comes to the company from that admin’s personal page getting click-jacked or having junk maliciously installed.

On the business side, admins aren’t allowed friends on their accounts. They’re given suitably lengthy and complicated passwords that aren’t easy to crack or guess.

But that’s it. That’s as far as Cluley feels he can go with Facebook’s infrastructure. He’d love two-factor authentication, requiring people to prove they are who they say they are.

Facebook isn’t there yet. Google isn’t there yet for business brands. Users aren’t there yet for using different passwords for different purposes, never mind making them hard to guess.

Lisa Vaas?

She has Cluley-scrubbed and leetspeakified all passwords, so yo, <P33k> this

Article Options
Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 

The HP Input Output site is sponsored by HP and features articles and content from HP and third-party contributors. Third-party articles and content, while paid for by HP, do not necessarily represent the views and opinions of HP. HP does not endorse this content and is not responsible for its accuracy, availability and quality.

Follow Us
Spotlight
The Permissions Your Database Users Really Need (Video) The 16 Linux Shell Commands Every Desktop Linux User Should Know 7 Deadly Sins of Job Searching: Why You Still Don't Have a Job, and How to Get Back on Track 9 Tech Analogies That No Longer Mean Anything To Those Young Whippersnappers
┼ Based on energy, paper and toner savings from regular printer usage. Results may vary.