Login  |  Register  |  Contact

Control Your Identity

One of the sessions I enjoyed at DefCon was Nathan Hamiel and Shawn Moyer's, "Satan is on My Friends List". Aside from directly hacking the security of some of these sites, they experimented with creating fake profiles of known individuals and seeing who they could fool. Notably, they created a profile (with permission) for Marcus Ranum on LinkedIn, then tried to see how many people they could fool into connecting to it. Yes, folks, I fell for it.

In my case it wasn't that big a deal- I only use LinkedIn as a rolodex, and always default to known email accounts before hopping into it. But that's not how everyone sees it, and many people use it to ask questions, connect to people they want to be associated with but aren't really connected to. Someone behind a fake profile could spoof all sorts of communications to either gather information or manipulate connections for nefarious reasons (pumping stock prices, getting fake references, disinformation campaigns, and so on). All social networks are vulnerable to manipulation, real world or virtual, but when you remove face to face interaction you eliminate the biggest barrier to spoofing.

I avoid some of this by only linking to people I know, have met, and have a reason to keep in contact with. If you've sent me a link request because you read the blog or listen to the podcast, and I haven't responded, that's why. Otherwise it loses any usefulness as a tool for me.

One of Shawn's recommendations for protecting yourself is to build a profile, even if you don't actively use it, on all the social networks. Thus I now have MySpace and Facebook pages under my real name, tied to a throwaway email account here at Securosis. WIll it help? Maybe not- it's easy for someone to create another account with my name and a different email address, but after I tie in a few friends that should reasonably draw people to the real me, whatever that's worth.

One unexpected aspect of this was a brief blast of mortality as Facebook splattered my high school graduating class on a signup page. I haven't really stayed in touch with many people from high school days; in my mind's eye they were frozen in the youth and vibrance of those few years we felt we ruled the world. Seeing them suddenly years later, long past the days of teenage hopes and dreams, was a visceral shock to the system. No, we're not all that old, but at 37 we're far past any reasonable definition of youth.

Damn you Mr. Moyer. I can forgive you for mildly pwning me in your presentation, but smashing open my vaulted teenage memories with a lance of reality? That sir, I can never forgive.

—Rich

Posted at Tuesday 19th August 2008 3:45 am Filed under: home securitymiscnon-geekshawn moyersocial networkingweb 2.0

Previous entry: Don't Sell "Compliance" If It Isn't A Checkbox | | Next entry: Visual Forensic Analysis

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By ShawnM  on  08/19  at  09:47 AM

Rick:

Thanks for being a good sport! One of the requirements Marcus had was that we not reveal any names of those who bought the impersonation, and I’‘d forgotten until now that you were on Evil Marcus’’ friends list, actually. I mostly just harvested connections that other folks from Tenable had, and looked for security folks with a high number of contacts.

For me, what gets interesting with impersonation on a SocNet, as I mentioned in the talk, is a sort of low-noise spearphishing—impersonate someone in a large company or government organization who doesn’‘t have a profile, and LinkedIn becomes a great way to harvest valid contacts and email addresses for a targeted attack.

If you combine this tactic with SocNet applications, it becomes a great way to deliver customized malware aimed at your target organization, with a large user population that is very likely sitting on the corporate LAN on their company-provided PCs… Malware-as-a-service, as Nathan likes to call it.

We didn’‘t expect to succeed for long with folks in the security community (in fact, Tenable CEO Ron Gula ultimately outed us) but I think with a more trusting population we probably would have went a lot longer without being exposed. I may actually already know the answer to that question, but I’‘m not telling. =)

As I’‘ve said, a simple fix here would be for LinkedIn to require some validation method, like sending an email from the domain of the company you claim to be employed by and giving companies the opportunity to self-register for the service, but so far, they haven’‘t implemented anything like that.

By rmogull  on  08/19  at  07:59 PM

You’‘ll have to fogive me for forgetting the spear phishing part- I was more than a little hung over at the time.

I believe, at least with current technologies, that any system of trust is only as reliable as the degree of in-person social interaction that backs it. It’s not just related to social networks, but any electronic transactions.

We see this in the financial system. Fraud rates have increased proportionally to the reduction of real-world interaction required. Because we humans are hardwired for social interaction, there’s just something about face to face contact we can’‘t fully replicate. To pull the psychology in, there is a different risk involved with physical interactions, and our bodies respond to that accordingly. As a physical security dude I found it way easier to peg someone in person than online- the barrier to entry is higher. We can’‘t all be a Frank Abignale.

For online networks, my theory is the level of reliability and trust is defined by two factors:

1. The degree of connectiveness.
2. The volume of physical interaction.

Online communities where the heart of your identity is reinforced by the network are far more reliable than those where your online identity is a mere reflection of your name. For example, the odds you could impersonate me via blog/twitter/email are FAR lower than someone who isn’‘t engaged with that community. On the other hand, although I have a presence in MySpace now (thanks to you), it’s not something I actively engage in. While you can’‘t use that to impersonate me in my "world" of sectwits and security bloggers, you could easily coopt an entire other community. Marcus was a perfect target because he isn’‘t engaged with these tools. Gadi was a bit trickier, but was also outed a bit faster.

This is a long way of saying that we all have multiple identities and communities in both the real world and online. I don’‘t think additional validation will help, since there are still plenty of ways to coopt mechanisms like that. Anytime a network isn’‘t self reinforcing it’s more prone to exploitation. That means we have to actively engage to protect our identities, since no other mechanism will really help.

Damn- guess I had enough coffee today, time to go do something productive!

By Feeds mobile edition  on  08/24  at  07:04 PM

[...] as a vector is very likely to be effective. Our recent impersonation exercises on SocNets have been documented ad infinitum, so there’s not much point in beating a dead horse. Suffice it to say that if you [...]

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: