Socially Engineering Social Networks

Image via Wikipedia

Many company associates use social networking sites.  Let me say it again, many company associates use social networking sites.  Really?  Yep.  What sites you may ask?  LinkedIn, Facebook, and MySpace (yes, even them).

While I’m writing this, I can quickly do a search based on those explicitly noted as being associated to my company and I can tell you more than 20% of the current employee base has associated themselves with us via the social networking profiles.

Ok, let’s switch perspectives…

A study posted last year found that two major social networking sites were the target of 91 percent of U.S. based phishing attempts last year.  Symantec found that 68 percent of the 50 most-frequent potential infections reported by customers involved malware that tried to get access to things like stored usernames, passwords and financial data.

So, the law of probabilities tells us that if you belong to the 20 plus percent of associates that use social networking sites, you would have been exposed to one of these attempts in the past year.  Social networking sites have been mostly hit by annoying worm, adware, and phishing attacks.  Most of these are automated and not targeted attempts to harvest information.  However, even a low level of success to a “You won’t believe this funny video of you” Trojan yields quite a bit of information.

Attacks are now migrating from this widespread approach of malware to some very targeted social engineering attacks.  The top social networking sites all offer a means by which a false account can be set up and then request access to a “group” (e.g. your company).  Association into that group often provides you with a level of information to begin creating profiles or users or an organization.  You then get one (or a few) of the people in that organization to accept you as a connection and you now have more detailed information on those associates and possibly their area of the company.  Take it a step further where those associates (and now even a few others) have their privacy settings set rather loosely then you can see information about users to whom you aren’t even explicitly connected to.

A very similar approach was taken on a blog site that users of a particular corporation all used.  Someone impersonated an employee, over a matter of a few months established a profile and even had made “friends” with other associates within the company via the site.  The person represented themselves as an IT associate and to be working on projects which they had gleaned from other information on the site.  Ultimately the user created a web page, utilizing the corporate identity of the company, and set it to seem like a password reset page.  They then casually talked up the tool as being a convenient way to set or change passwords and then sat back and let the word spread.  A high percentage of site users used the page and thereby compromised their account information.  Even after this was exposed, many of the associates, through interaction on the site, truly thought they were dealing with a fellow associate.

Image via Wikipedia

LinkedIn has specifically addressed this kind of false associations by using a “social defense” model.   You can’t just randomly send messages to people ala Facebook. To gain access to another site member, LinkedIn requires you to contact someone you both know for an introduction. Thus, a third party has to vouch for you and confirm that you are who you say you are.

What precautions should be taken to limit exposure of information?

1. Smart password management – Your passwords, everywhere you use them, are important.  There is considerable effort put in to protecting the systems which use and govern your passwords at your company.  Create strong/complex passwords for systems outside of corporate systems to help keep your information safe.  A word of caution here, don’t use the same password for all systems either.  Yes it may be very convenient, but this goes to the “weakest link” example.  If you use a website that has poor programming or security practices and your name, associations, employment, etc are harvested from that site and you utilize the same password for your bank account, outside email, and your corporate login are now exposed.  Also be judicious with the use of password reset tools.  Don’t use questions with simple or obvious answers as it makes it quite easy for someone else to guess the information, reset your password, and gain control of your profile.  Another article dedicated to this issue alone is in the works.
2. Utilize the security controls provided by the site – The major social networking sites allow for you to limit who has access to view all or part of your information.  I would highly recommend not leaving those settings at default and set everything to the most restrictive view settings possible.  In most cases this is a setting which allows “only my friends or connections” to view information on your profile.  Therefore you have limited much of the information to people which you have explicitly given permission to view.  Be leery of the options to allow “friends of friends” to view information and certainly don’t leave it set to “publically available”
3. Stick with who you know – While sometimes used in this way, please don’t use social media sites as a popularity yardstick.  This often involves accepting invites from complete strangers and inviting any and everyone to be a “friend/contact” so you have a large number of associations.  This increases the risk of an indirect attack via email/posting/app as well as targeted attacks as it makes it easier for the anonymous attacker to masquerade as a “friend”.
4. Limit the amount of personal information you post – Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing. Also be considerate when posting information, including photos, about your connections.
5. Be skeptical – Don’t believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take proper precautions, though, and try to verify the authenticity of any information before taking any action.
6. Use and maintain anti-virus software – Anti-virus software recognizes most known viruses and protects your computer against them, so you may be able to detect and remove the virus before it can do any damage. Because attackers are continually writing new viruses, it is important to keep your definitions up to date.  The newer suites of these software products are often called End Point Protection suites.  They include more products that help provide a better overall protection to your system.

Related Articles

• Burglars scan social network sites (autonetinsurance.co.uk)
• Foreign Social Networking Websites? (basekit.com)
• Protecting Your Digital Data (q-ontech.blogspot.com)
• Why Are Social Networking Sites Popular (aleasemichelle.typepad.com)

iOS 4.2 is out! Update your iDevice!

Image via CrunchBase

While many people (me included) are happy to update their devices to iOS 4.2 for the new features enabled, most are not aware of the security fixes included that are also necessary.  iOS 4.2 (like many iOS updates prior) includes fixes to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, initiate a call, cause a denial-of-service condition, gain system privileges, or obtain sensitive information on your iPhone, iPad, or iTouch.  (While there is an update for AppleTV also, I’m not aware of what, if any, vulnerabilities were addressed with that update).

A quick overview of these fixes includes fixing an issue with the new iAD service where the ads could send you to malicious sites, fixing mail issues where properly formatted HTML emails could send information back to the sender of the email, and a network issue where properly formatted PIM messages could cause a denial of service situation or the device to completely shut down.

To see a full list of the vulnerabilities addressed, please see Apple’s security page here:  http://support.apple.com/kb/HT4456

Related Articles

• Redsn0w jailbreak already live for iOS 4.2.1 on all devices (tuaw.com)
• iOS Tutorial: How to Update Your iPhone to iOS 4.2 (brighthub.com)
• Apple iOS 4.2 Hands-On (apple.slashdot.org)
• iOS 4.2: Our Complete Walkthrough (macstories.net)
• Ars goes hands-on with AirPlay on iOS 4.2 and Apple TV (arstechnica.com)

P.T. Barnum wasn’t wrong – Firefox Beta Links spread Malware

It should not come as a surprise to you that Firefox is available for free download from Mozilla (hence the Open Source Project).  This must not be apparent to users who are being fooled by a fake Firefox 4.0 beta download scam.  

The scam goes a bit like this:

1. You want software but don’t want to pay for it (in this case a new version of the Firefox browser)
2. You get email/see link/etc that a new Firefox browser is going to be out
3. Email/Link/etc portends to provide either a software crack or a key generation file (items used to break registration of what should be purchased software).
4. You download and run crack files
5. You get infected with a Trojan

Reports note the following trojans have already been seen using this scam:

• FraudTool.Win32.FakeVimes
• Trojan-Downloader.Win32.CodecPack.2GCash.Gen
• Trojan.DNSChanger.Gen
• Virus.Win32.Parite
• TrojanDownloader-Win32/FakeRean

Moral(s) of the story:

1. Always check an authoritative source.  If you are interested in the Firefox 4 Beta, check out Mozilla’s site and download it there.
2. It’s always a bad idea to pirate software.  Sites that host/distribute cracked versions of software and keygens are already operating in a shady area, don’t be surprised to get infected/attacked if that is a site you visit.  (As I tell my kids, don’t touch that, you don’t know where it’s been).
3. Patch and Update.  For at least the few noted pieces of malware being spread here, if your system is patched and your AV updated you should be okay.  However, this can change at any moment, so don’t test it.