Archive
The Party Is Not Over! 250,000 Twitter accounts compromised!
The Information Security Community is still commenting the Cyber Attacks against U.S. media companies and here it is another clamorous news in this February Weekend!
On the wake of the admissions made by The New York Times and The Wall Street Journal, Twitter has revelaed in a blog post, to have detected, over the last week, unusual access patterns that led to identify unauthorized access attempts to some user data. They even discovered, and were able to shut down, one live attack, but their effort did not prevent the attackers to access user information for 250,000 users. The compromised data for the affected users includes : usernames, email addresses, session tokens and encrypted/salted passwords.
As a precautionary security measure, the social network has reset the passwords and revoked the session tokens for the affected accounts. The impacted users would have received (or will soon receive) an email, notifying them to create a new password.
This is not the first time that a primary social network is hacked: on June 2012 LinkedIn had 6.5 million accounts compromised.
The problem is that our online experience is getting harder and harder: counting (and immediately patching) all the exploitable 0-day vulnerabilities of the browsers and their components is getting harder and harder (see the Java saga for example), and apparently even protection technologies are not so useful…
June 2012 Cyber Attacks Timeline (Part I)
Update 07/05/2012: June 2012 Cyber Attacks Timeline (Part II)
A (first half of the) month living dangerously…
June has come and strongly confirms that Summer is the preferred month for Cybercrookers: just look back at June 2011 and you will probably remember the days of Lulz of the infamous LulzSec Collective (which curiously seems to be reborn!).
June 2012 has shown a remarkable number of incidents and is proving to be a mensis horribilis (horrible month) for Social Networks and Online Services in general, due to the high profile breaches of LinkedIn, Last.Fm, eHarmony and the online game League of Legends.
On a geographic scale, looks like China is becoming another important source of Cyber incidents, having been targeted from #TeamGhostShell, who claim, inside their #ProjectDragonFly, to have obtained up to 800,000 accounts from different sources.
Hacktivism-led actions seem (apparently) to decline, whilst, on the Cyber Crime front, a new collective, UGNazi, is taking the scene, having confirmed, in the first part of June, the wake of cyber attacks, we have become familiar with for some time.
Another Infosec Summer promising to be very hot!
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timeline.
Beware Of Linkedin Scams
You know, social media have become the last fronteer of spam and and scam. Yesterday I received a strange message from an unkown (i.e. non-existant, at least when I checked) LinkedIn Profile, inviting me to message my email address for a purpotred “undervalued $tock bid”. In this hard times the perpsective of easy money sounds appealing but…
…Always remember that LinkedIn is particularly attractive for cybercrookers since contacts have a bigger level of trust and confidence and the victims are lead to lower the barreers of mistrust (the human firewall).
Anyway, in case of suspect messages from LinkedIn always check the LinkedIn Checkbox (in this case, needless to say, the message was not listed, nor was the linkedin profile existant).
Social Reputation On Sale
Would you buy an used car from a Girl Like That? Mmh… probably she is not the best person for this kind of deal, but I grant you that if you wish to buy some pounds of social reputation on sale she is just the right (virtual) person. You only need to go on Twitter and search for @JuliannaAlln to understand why…
Some hours after publishing my last post about Mr. Obama’s speech and its implications for Revolution 2.0 (thanks to @brunehel for suggesting this intriguing name) I received a strange mention from @JuliannaAlln:
@paulsparrows: I just saw your tweet about Linkedin. This site is great for adding LinkedIn connections:
http://is.gd.dfnfQV
Tweet about Linkedin? It sounded strange to me, even if in a certain sense the last tweet mentioned Social Networks, it had (nearly) nothing to deal with LinkedIn.
I could not help noticing the attractive young girl on the picture (a typical stereotype of social honeypots), and consequently at first glance I immediately thought about the affair of @PrimorisEra or Robin Sage. Anyway, since it is really unlikely that my unconfessable secrets may be of any interest to someone for the purpose of espionage or whatever else, this idea without rhyme or reason only lasted a few seconds: the truth is far less romantic and is just a click far from the link contained in the tweet.
As a matter of fact the link inside the tweet brings you to Viralso, an Internet Marketing Agency, whose main course consists in selling Social Reputation: with “only” 89 bucks per month you may choose to reach the mentionable amount of 2400 LinkedIn connections (with a Delivery Rate of 200 per Month) or 2000 Twitter followers (understandably, inventing building a social profile on LinkedIn where you must prove the references of your skills is much harder). If instead you want to surprise your friends on Facebook with an endless array of friends, there is no problem at all: with “only” 89 bucks per month 500 new friends (per month as well) will bring you to the noticeable number of 2400 friends. In any case you will be able to become a “social black hole (in the sense that you will be able to attract anything to your profile) with 100% satisfaction guaranteed.
Analyzing the matter more seriously, I find that this is only the latest implication of the polymorphic main concern of social networks which is Reputation, from a security perspective (may you really trust who you are talking to?) but also from an individual and (real) social perspective. In particular from an individual perspective the social reputation (and social impact and credibility) is not built upon what one individual is (because the real identity is hidden behind an avatar) rather than upon the number of friends, followers or contacts, one individual is able to show, even if there is no way to prove the real identity of them. If I cannot show or prove who I am I can only use indirect tools (i.e. my contacts) to build my reputation.
The worrying thing relies on the fact that apparently there is no difference between personal and professional social networks: I might also understand the presumption by “virtual flirt hunters”, of flaunting thousands of Facebook friends to impress unlikely preys; unlikely I hardly understand how a huge amount of fake professional contacts on LinkedIn could work, in a social networks where the references, at least on paper, can be verified. Maybe even for this reason the LinkedIn IPO was far beyond the most optimistic expectations (seems to be back at ten years ago).
Even if the agency claims that:
We do not incentivize people to Become a Connection on LinkedIn
We use proprietary marketing techniques to find “real people” that will become a LinkedIn connection.
the qoutes around the term “real people” are more meaningful than a thousand words (and now that I know that the marketing process is based on the strategies used by President Obama, and, most of all, by Britney Spears I feel much more confortable). Actually I really would be very curious to know how the not better defined “proprietary marketing techniques” are able to build the fake profiles, and to check, most of all on LinkedIn, their level of (social) reliability, anyway I must confess that rather than trying it, I much prefer to spend my bucks (or better my Euros, or Euri how we say in Italy) for a real social life, for instance with some real friends and a fresh beer…
Social Espionage
Updated on 5/6/2011: Primoris Era is Back!
Few days ago the Twitter Community was shaken by the affair of @PrimorisEra AKA “The tweeter who loved me”, a Twitter user with more than 23.000 tweets and 1300 followers, depicting herself as a young, attractive woman with a keen interest in missile technology and national security strategy. Her sudden departure has subsequently created many questions and concerns about the security of information on the Internet and Social Network. As a matter of fact, more than a few Twitter users who work in national security panicked upon hearing the accusation lodged against @PrimorisEra, since it looks like she (or he) allegedly requested sensitive information using Twitter’s Direct Messaging, or DM, service, persuading several young men on Twitter (and Facebook as well) to divulge sensitive information for more than two years.
Albeit this interesting article explains the (alleged) real story behind, and in a certain manner belittles the spy story, social pitfalls (socialeaks) remain more relevant than ever.
This does not sound surprising to me: as soon as my colleague David told me the story (of course by mean of a tweet), the notorious affair of Robin Sage came immediately to my mind: a fake Facebook (and LinkedIn) Profile of a Cyber Threat Analyst, who was capable to gain access to email addresses, bank accounts and location of secret military units from her 300 contacts, persuading them to be a 25-year-old “cyber threat analyst” at the Naval Network Warfare Command in Norfolk, Virginia, graduated from MIT, with 10 years of work experience, despite her young age (she was also given private documents for review and was offered to speak at several conferences).
Lesson learned? Not at all, (nearly) every security professional should know very well, at least in theory, the story of Robin Sage and the consequent risks connected with a fickle Social behavior, most of all in those blurred cases when professional and personal information overlaps. Never ignore the first rule: young attractive girls have nothing to do with geeks, even if they often have persuading arguments, sometimes so persuading to tear down the personal natural defenses (the first form of “physical” security), especially in those cases (as in the example of Robin Sage) when other trusted peers have already fallen in the (honey)trap, and consequently appear between the contacts of the fake profile.
Even if @PrimorisEra or @LadyCaesar (another pseudonym of her Digital Identity) is not a spy in the pay of any foreign country, the possibility to use the Social Network for espionage, SecOps, or PsyOps is far from being remote. Indeed is a consolidated practice and may already rely on an (in)famous example: the one of Anna Chapman, the 28 years old Russian Spy, living in new york, arrested on 27 June 2010, together with other 9 people, on suspicion of working for Illegals Program spy under the Russian Federation’s external intelligence agency. One of the noticeable aspects of the whole story was just her Facebook profile full of hot pictures (and equally hot comments) used to attract friends, and probably as one of the ways to grab information (curiously it looks like she did not show how many friends she had, as to say, unlike everyone else, that spies apparently know how to deal with Facebook privacy settings.
About The Author
Support My Work!
Share:
News
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
Visitors from…
