Tuesday, April 27, 2010

Social Networking: Why You Should Be Worried

While social engineering as a method of compromising systems and networks is nothing new (and the art of deception going back long before the advent of TCP/IP), social networking amplifies the potential for abuse through a multitude of things. Mostly naiveté- why they won't be targeted, why they (individual users) have nothing to hide, mistaken or deluded notions how their personal information will be used, etc. 

I could trash these notions up and down but I really don't have the time. So instead, if you honestly kid yourself with any of the following excuses:
  • "I have nothing to hide!"
  • "I won't be targeted!"
  • "I trust 'them' with my personal information!"
Then you need to just skip to my References section in this post below. When you're done with reading the lot, then come back here. Because if you honestly think you are somehow going to magically escape the bullet, you are just wrong. Wrong, wrong, wrong. Dead wrong. 

Did I say wrong enough times?

What's more, your action (or worse yet, inaction) will have an impact on how information is used, global notions of privacy and furthermore, you may indirectly compromise your workplace, your colleagues, co-workers, friends or family.

What makes social networking a far greater threat than old fashioned social networking is that it compounds the problem on multiple levels. 

Information that was previously hard to come by (i.e. had to be acquired by being physically present or knowing certain individuals) can be now mined, remotely or privately. Websites such as pipl.com or tools like Maltego have shown the very real threat that remnant traces of data on the Internet can reveal.  We can see data in aggregate. And the aggregation of data compounds the risks as the sum is greater than its parts.

Social networking allows data to determine subject-object relationships. Context is revealed. So we know that Jarrod likes Mixed Martial Arts and that Ultimate Fighting Champsionship is an MMA event. So it would stand to reason that Jarrod would like to hear about the UFC. This is the value of data and relationships. This is the worldly view that Google and Facebook are trying to build. But sometimes these relationships can have unexpected consequences. 

E.g. An attacker finds out you work at XYZ Company in the Payroll area (LinkedIn) and you like going out to concerts and are a fan of Pink (Facebook). Searching on your email address which you have listed as public (pipl.com) reveals your blog and some very compromising pictures. Or maybe just a rant about how much you hate your boss. Or to distribute a finely crafted piece of malware which purpotes to be Pink playing live in your hometown with hopes of compromising your work machine...

Social relationships are important and I don't want to say "don't use social networking" but we need to be mindful of the information we are sharing isn't "just to our friends". We're sharing it with third parties that we have trusted and sometimes, that trust is misplaced, taken for granted (Google/Buzz) or just outright abused (Facebook). 

Locking down your profile doesn't always solve the problem because these companies can still share it with third parties or use it internally at whim (Google), they can still hold the data indefinitely (Facebook), or be riddled with security holes. To such a degree that even if you do the right thing, share the minimal amount required and lock down your privacy settings, etc, that you can be hit by those people you have as 'friends' because of their own lax approach to personal security and privacy (or because they install every sodding game or application under the sun).

This isn't intended to scare the crap out of you (although I'm sure it may for some if you start seeing how real world attack scenarios occur in my references section and the Google/China hack) but you need to realise how it can be abused. 

If you're going to use social networking services, you need to be mindful:
- what you share,
- who you share it with (companies/websites as well as individuals),
- default privacy/profile settings,
- if in doubt, just share the BARE MINIMUM required to maintain social contact!

- J.



Wireghoul said...

Coincidental timing... http://snosoft.blogspot.com/2010/04/hacking-your-bank.html

Drazen Drazic said...

That's one worth linking to people we know outside of our industry. Nice write-up mate. Love the passion in your writing. Linking it out now.


Matthew Hackling said...

Thanks for the link to the "why blackhats alwas win"" talk, great reading comparing standard "pen test" methodology vs what the black hats do.

Jarrod said...

Wireghoul - the hacking your bank one linked directly off one of my reference links, which is why I posted it :)

DD - You're welcome. I had a few people (mostly friends and family) asking.

Matt - You should also check the metaphish paper and some of the other talks/presentations done by attackresearch.com

Drawing classes said...

What a wonderful post to read!! thank you for bringing all good thoughts into one post!