If you think that Facebook’s 600,000 compromised logins per day are not enough, you’d better read an interesting paper issued by a group of researchers from University of British Columbia, concerning the capability to use socialbots, that is software driven fake identities controlled by a bootmaster, to lure real Facebook users with the purpose of stealing sensitive data, and more in general, every kind of information with a potential monetary value.
Social Networks are gaining more and more importance for everyday life, both on a microscopic and on a macroscopic scale. On a microscopic scale they influence the life of a growing number of individuals who concentrate there their personal and professional interests; on a macroscopic scale Social Networks played (and are playing) a crucial role for the Arab Spring, both on a social and military perspective, not only they were the virtual weapons for protesters to witness the events in Tunisia, Egypt, Libya and Syria (but also for the loyalists with actions of propaganda and misinformation), but they were also used by NATO as real weapons in Libya to identify potentially targets to strike after “strong authentication” with conventional technologies (such as satellites).
Of course this constantly growing influence is attracting attentions from governments (which are evaluating technologies to monitor and eventually counteract the streams of information) but also from individuals who look at the weaknesses of social networks (and more in general at the scarce attention towards privacy by many users) as a mean for stealing money and information, a new form of richness of the Web 2.0 era.
The idea behind this research is not completely new, and takes into consideration two well known risk factors for Social Networks: reputation and privacy. The (fake) social reputation of a malicious individual can lure legitimate users to connect with untrusted contacts, after the connection, the poor attention for privacy settings together with a superficial behavior can bring to users to reveal, through the social channel, personal and classified information. This is the reason why resounding examples of fake profiles (with human beings behind) are not new for social networks, for scientific or amusement purposes: the names of Robin Sage and Primoris Era should sound familiar to many.
On the other hand not even the possibility to develop software-based fake social personas is a completely new, at least in theory and, most of all with military purposes, if it is true that the U.S. Department of Defense is developing software personas for propaganda actions inside the Social Network Battlefield.
What is completely new is the fact that no one so far had been able to show the results of a research done with software based socialbots since, so far, only human fake profiles were used to steal informations.
So what happens when bots, a concept proper of Information Security, meet social networks?
The results, at least for Facebook are frustrating: the above mentioned paper shows that, starting with a socialbotnet of 102 socialbots (49 male profiles and 53 female profiles) controlled by a single botmaster, the researchers were able to infiltrate Facebook, fully automating the operation of the Socialbotnet (including fake accounts creation).
The average success rate was 59.1%, with peaks close to 80%, which in several cases, depending on users’ privacy settings, resulted in privacy breaches (harvested data included email addresses, phone numbers, and other profile information with potential monetary value). Even worst, collected data included also private data of users who had not been infiltrated, but were only “guilty” to be somehow connected to infiltrated users, with an average collection day of 175 new chunks of publicly-unaccessible users’ data per socialbot per day.
The infiltration turned into 8,570 connection requests in a timeframe of 8 weeks with 250 Gb of data collected. Moreover the Social Network Defenses, such as the Facebook Immune System, resulted not effective enough in detecting or stopping the infiltration as it occurs: they were effective only when users were able to recognize the fake profiles and mark them as spam. Curiously this happened only in 20 cases (nearly the 20% of the total), all related to female profiles.
From the users’ side, (an easily predictable statement) the research confirms that most users are not careful enough when accepting connection requests sent by strangers, especially when they have mutual connections (the so called triadic closure principle, one of the foundations of the Social Networks).
Personal and Professional Social Networkers (and organizations that are approaching Social Networks) are advised!
Thanks to Andrea Zapparoli Manzoni for suggesting the original concept of Consumerization of Warfare and this update.
In a previous post we defined “Consumerization of Warfare” the growing use of consumer technologies such as Social Networks and Mobile for Military purposes (such as propaganda or espionage).
The most obvious examples of this trend are represented, on a global scale, by the influence (also recognized by President Obama) that social media had for the Wind of Changes blowing from Maghreb to the Middle East. In this contest they were used for different purposes: for witnessing the real extent of the events (which was a key factor in fostering the Allied intervention in Libya), for virally spreading propaganda and psyops information, and, last but not least, in a strict military context, as a further evidence to “strong authenticate” coordinates for Nato Missile Attacks in Libya.
But this approach is not limited to social media. Mobile devices are the natural companions of social media, so U.S. Army, U.S. Marines, and National Security Agency are just evaluating the use of COTS (Commercial Off-The-Shelf) products for military purposes and is evaluating several different commercially available smartphones and tablets, properly hardened and secured.
In particular, despite privacy and reputation issues, social media have proven to be a powerful device for spreading information. Consider for example a single event: Osama Bin Laden’s death. Tweets dealing with this event averaged 3440 TPS from 10:45 to 12:30pm ET on May 2 2011, reaching a peak of 5106 TPS around 11:00pm ET.
Such a formidable weapon must be fully exploited for defensive and offensive purposes, consequently the newcomer in this warfare is none other than the Pentagon, which is asking scientists to figure out how to detect and counter propaganda on social media networks in the aftermath of Arab uprisings driven by Twitter and Facebook. The US military’s high-tech research arm, the Defense Advanced Research Projects Agency (DARPA), has put out a request for experts to look at “a new science of social networks” that would attempt to get ahead of the curve of events unfolding on new media.
The program’s goal is:
To track “purposeful or deceptive messaging and misinformation” in social networks and to pursue “counter messaging of detected adversary influence operations,”
according to DARPA’s request for proposals issued on July 14.
The idea to build fake personas to manipulate the social arena is not completely new (and one of the players involved was just the well known HBGary Federal), but this time the scope is pretty much wider, aiming to change the course of events by massive (counter)information campaigns (think for instance to video and images coming from Libya which were crucial to foster the Allied Intervention).
I am not sure Zuckerberg & Co. will be very happy that their creatures are considered, against their will, a battlefield from The Pentagon…
With great satisfaction yesterday I took advantage of a promotion so I updated the nav app on my Android device to the new premium version. Albeit I was very satisfied with the previous version, I could not resist, as usual, to a newer release: moreover the opportunity to save a dozen hard-earned euros was too tempting, so I gave a virtual credit card swipe and got the deal. Among the new features, I immediately noticed the so called “Social Navigation” (nowadays you may add the term social to anything), that is the possibility to share on Facebook or Twitter details about the journey.
My sixth sense and half told me not to enable the automatic share of journey details for a simple reason: what if a burglar should intercept my status update or my journey tweets, and consequently knew that I am leaving my home (maybe for several days)? The answer is pretty much simple… And it is exactly the reason why I am not used to post on Social Media details of my journeys, wether they are related to business or holiday.
Unfortunately it looks like many people do not think so and have the bad habit to post their holiday plans on Facebook or, worse, to publish in real times pictures shot too many miles far from home. Translated to real world, this behavior is like leaving an advert on the door to a burglar telling him there is nobody home.
This is an opportunity too tempting for “social burglars”, who have become familiar with these beahviors and also take advantage of weak default privacy settings, or also of the viral spread of information proper of social media, for probing profiles, looking for unprotected apartments to burgle.
From a social perspective, this is only the last field in which real life and virtual (social) life dangerously overlap, showing that the same threats may be equally applied to both areas. Luckily the same countermeasures may be applied as well, ans this is the reason why a UK Chelmsford-based security firm, Precreate Solutions for a small fee, provides its customers with “virtual updates” while they are away. The service, by mean of pre-approved messages, status updates and tweets scheduled while the customer is away, aims to show a real and virtual presence at home, discouraging potential criminals from taking malicious actions.
Of course holidaymakers should avoid to post their pictures or status updates while they are in holiday, moreover they also should be able to forge credible pre-cooked messages (what if they should update their status with a post telling “I am watching the football match” in July while there is no match, while contemporary posting pictures at the beach?
Thinking well this is not so different, in theory, from the old world approach where holidaymakers asked their neighbors to monitor their homes, to water the plants, and possibly to show signs of presence (switching on the lights for instance when not made through automated switches)… Moreover the bridge from real world to virtual world could become even more concrete, since Company director Gary Jackson claimed that
It’s getting to the point now when insurance firms are going charge higher premiums for social media users.
Maybe a marketing statement if it is true that the Association of British Insurers said it had never heard of insurers asking customers who use social networks to pay more, (and said it would not be practical to do so); a spokesman, however, warned people to think twice about advertising that they were away.
A further thought for this Social Media Day, a further example of the growing revolution of Social Media and their impact on everyday life, a further example of their privacy and security concerns, most of all if they are used, as often happens, with imprudence and shallowness, a behavior which might lead to serious aftermaths also in real world.
- This security firm offers to update your Facebook status whilst you’re away (theinformativereport.com)
According to a NYT article, this is exactly what the Obama Administration is doing, leading a global effort to deploy a “shadow” Internet and an independent mobile phone network that dissidents can use against repressive governments that seek to silence them by censoring or shutting down telecommunications networks (as happened in Egypt and Syria).
More in detail the above mentioned effort include secretive projects to create independent cellphone networks inside foreign countries, as well as an “Internet in a suitcase” prototype, financed with a $2 million State Department grant, which could be secreted across a border and quickly set up to allow wireless communication over a wide area with a link to the global Internet. In a sort of 21st century version of Radio Free Europe relying on a version of “mesh network” technology, which can transform devices like cellphones or personal computers to create an invisible wireless web without a centralized hub
If one puts together the pieces of the puzzles of the last events, one clearly realizes that the ingredients were already on the pot and now are being mixed in the right dosage for a recipe of freedom.
On the other hand the importance of the Internet Connectivity (in terms of presence or absence) in War Zones is unquestionable. And this is brilliantly shown from the fact that we are getting more and more familiar with the shutting down of Internet connectivity as a clumsy attempt carried out by some governments for preventing the spreading of unwelcome information and the consequent use of Social Networks for propaganda, PsyOps or real War Operations. Of course I already talked about special groups of US Army, which I dubbed “Corps of (Networks and Security) Engineers” dedicated to maintain Internet connectivity in war zones by mean of 3G or Wi-Fi drones. It looks like I was only partially right since the reality seems much closer to a spy novel featuring special agents equipped with Internet suitcases rather than soulless drones equipped with antennas.
Same speech for mobile technologies: United States officials said, the State Department and Pentagon have spent at least $50 million to create an independent cellphone network in Afghanistan using towers on protected military bases inside the country in order to offset the Taliban’s ability to shut down the official Afghan services. More recently, a similar action was performed in Libya, with the hijacking of the Libyana Mobile Operator Network to be used by rebels groups to communicate between them. Clearly these were not episodic cases but the first examples of a real mobile warfare strategy aimed to maintain mobile connectivity (videos shot with mobile phones are a point in common of all the protests in Maghreb and Middle East) without clumsy actions such as the smuggling of Satellite Phones in Syria.
In light of these facts, Mr. Obama’s speech on the Middle East on May, the 19th assumes a new meaning and a deeper analysis shows that some prodromes of this strategy were already announced, even if in a hidden form:
Cell phones and social networks allow young people to connect and organize like never before. A new generation has emerged. And their voices tell us that change cannot be denied…
In fact, real reform will not come at the ballot box alone. Through our efforts we must support those basic rights to speak your mind and access information. We will support open access to the Internet.
Open support to Internet… Even if closed inside a suitcase…
- Shadow Internet: Secret U.S. Effort Reportedly Aims To Help Dissidents (huffingtonpost.com)
The relationship between social networks and law is very controversial. If, on one hand, we are now accustomed to consider Social Networks as enemies of privacy, on the other hand the lack of privacy together with the users’ lack of attention towards prudent rules of behavior (sometimes one thinks that behind an avatar everything is allowed) is a factor that is playing a major role in court trials, for instance (but not only) when parties must gather evidence during matrimonial disputes.
A “cheerful” behavior in social networks is often used to demonstrate infidelity: divorce lawyers are well aware of this, and the practice of creating fake profiles and “probe” the behavior of the adverse party involved in the dispute with friendship requests is now a common established practice.
This is useful for the collection of evidence (sometimes there is not even need to interact directly since some users are so stupid to write private messages in the wall). This strategy leverages partly the peculiar concept of privacy of social networks, partly the naivety and superficiality of users and, although questionable from the ethical point of view, is permitted in several countries including Italy. In the so called “Belpaese” the Law prohibits to gather evidence entering abusively in the partner profile, but in the mean time allows to gather evidence using fake profiles with no connection with real world (or also friend profiles), using them to probe the partner’s fidelity (the successful gathering of an evidence is a real trouble for the guilty since there is a sentence of the supreme court entitled to quash a judgement – 9287/1997 – according to which the virtual infidelity causes the charge of separation).
Besides this point of contact, to which (un)fortunately we are getting more and more familiar with (Facebook is the top cause of relationship trouble), there is also another (controversial) important point of convergence between social networks and law, brilliantly described in this Bllomberg article: Facebook is being used as Tool to Serve Court Papers.
It all began two years ago in Australia: when a judge in Canberra required lawyers to serve a foreclosure notice to debtors at their home address, a secondary address, as well as via Facebook, on behalf of the creditor. Since then the practice of online legal service is spreading as a means for courts to keep their dockets moving and courts in New Zealand, Canada and the U.K. have adopted the Australian example to avoid having cases stall when people can’t be located and served in person. As a consequence U.S. Lawyers said the U.S. may not be far behind in using the world’s most popular social-networking service for the same purposes.
This is clearly another field in which social networks are changing the rules: the opportunity to serve the court papers by mean of social networks not only recognizes the legal value of a digital (social) identity, but also identifies the social network (Facebook in that circumstance but the practice is applicable to Twitter as well) as a reliable, secure and private communication medium.
Nevertheless there are still many concerns that probably need to be addressed more in deep.
First of all (guess what?) privacy! Even if many countries will not recognize this role to Facebook, because of the well-known privacy issues, privacy advocates claim that serving court notices by mail or in person often already provokes privacy complaints, and using Facebook doesn’t add any new concern.
The landscape is completely different if we analyze the question from the reputation perspective (reputation of the receiver, or better of her social profile), which is probably the main concern. With regard to Social Networks I already expressed my doubts on social reputation and the dangers hidden behind fakes identities. These aspects are more relevant than ever as far as the delivery of a legal document is concerned: in order to serve notices via Social Networks the sender must clearly trust the profile, and make sure she is really the person the notice is addressed to. Moreover the sender must be able to prove that the receiver’s profile is checked often enough to ensure it’s a reliable path of notification (probably in case the other traditional media failed to achieve the result)
Although many debtors or other kinds of defendants tend to hide their real o social identities, just to avoid the notices, the social delivery should be done without violating ethics codes that would prevent lawyers from “friending” the target in disguise to overcome privacy settings, even if we have seen that several countries (including Italy) permit the usage of such unethical methods to gather evidence.
In particular this aspect could not be a problem in Italy, because my country allows to “friend” a target in disguise, but also because a notice is successfully served if it has been sent using all the prescribed manners, and this is indipendent if it has been read by the receiver or not. In this case the unawareness is considered a negligence for the receiver.
Why should the lawyers and courts use social networks for serving notices? Give a look to the number of users on Facebook or the average time spent in social networks to have an answer. Moreover consider the fact that there are many cases in which defendants, rather then receiving the notices, prefer to be not available at their real addresses or also to escape abroad, possibly in countries with no agreement for serving notices from the original country. In all those cases, it may take up to six months to deliver notes (at least in Italy) with the consequent stall of the legal prosecution.
Fortunately often the defendants escape from their real world but are not able to escape from their virtual world, the social networks…
- Facebook Used by Courts to Find Those Who ‘Exist Only Online’ (businessweek.com)
- Courts use Facebook and Twitter to reach those who exist only online (textually.org)
- Can Legal Papers Be Served via Facebook? (socialtimes.com)
- 756,566 hits since November 2010
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
About This Blog
In this blog I express my personal opinion, which does not necessarily reflects the opinion of my organization, about events and news or interest, concerning information security, winking to mobile world and, why not, to some curious personal event.
Every information is reported with its source.
Anyone intending to use information contained in my post is free to do so, provided that mention my blog in your article.
Top Posts & Pages
- 1-15 April 2014 Cyber Attacks Timeline
- List Of Hacked Celebrities Who Had (Nude) Photos Leaked
- 2012 Cyber Attacks Statistics
- 2013 Cyber Attacks Timeline Master Index
- 2013 Cyber Attacks Statistics
- A (Graphical) World of Botnets and Cyber Attacks
- August 2013 Cyber Attacks Statistics
- 2013 Cyber Attacks Statistics (Summary)
- 1-15 March 2014 Cyber Attacks Timeline
- 16-31 March 2014 Cyber Attacks Timeline
- @forensikblog Thanks for the feedback! Much appreciated! Will amend it asap! - 14 hours ago
- In case you missed, here's the 1-15 April 2014 Cyber Attacks Timeline! hackmageddon.com/2014/04/24/1-1… #infosec - 22 hours ago
- 1-15 April 2014 Cyber Attacks Timeline wp.me/p14J6X-2y7 - 1 day ago
- Analyzing a banking Trojan info.lastline.com/blog/analyzing… - 1 week ago
- Pipeline for a scalable malware analysis process: an interesting take from our very own @marco_cova. Worths reading! info.lastline.com/blog/a-pipelin… - 1 week ago
- 16-31 March 2014 Cyber Attacks Timeline wp.me/p14J6X-2y0 - 1 week ago
- RT @lastlineinc: Lastline co-founder Engin Kirda presents "Evasive Malware Attacks" at NY Information Security Meetup http://t.co/pcoZnspu1l - 2 weeks ago
- WatchGuard Uses Lastline's Cloud Based Sandbox to Combat APTs info.lastline.com/blog/watchguar… - 3 weeks ago
- @kf916 For the moment only the timelines. I am very busy. Hope to republish the charts quite soon - 3 weeks ago
- @lastlineinc is present at #ROOMn2014, visit our booth and discover how you can protect your organization from mobile advanced threats - 3 weeks ago