About these ads

Archive

Posts Tagged ‘Robin Sage’

Invasion Of The Facebook Snatchers

November 5, 2011 1 comment

If you think that Facebook’s 600,000 compromised logins per day are not enough, you’d better read an interesting paper issued by a group of researchers from University of British Columbia, concerning the capability to use socialbots, that is software driven fake identities controlled by a bootmaster, to lure real Facebook users with the purpose of stealing sensitive data, and more in general, every kind of information with a potential monetary value.

Social Networks are gaining more and more importance for everyday life, both on a microscopic and on a macroscopic scale. On a microscopic scale they influence the life of a growing number of individuals who concentrate there their personal and professional interests; on a macroscopic scale Social Networks played (and are playing) a crucial role for the Arab Spring, both on a social and military perspective, not only they were the virtual weapons for protesters to witness the events in Tunisia, Egypt, Libya and Syria (but also for the loyalists with actions of propaganda and misinformation), but they were also used by NATO as real weapons in Libya to identify potentially targets to strike after “strong authentication” with conventional technologies (such as satellites).

Of course this constantly growing influence is attracting attentions from governments (which are evaluating technologies to monitor and eventually counteract the streams of information) but also from individuals who look at the weaknesses of social networks (and more in general at the scarce attention towards privacy by many users) as a mean for stealing money and information, a new form of richness of the Web 2.0 era.

The idea behind this research is not completely new, and takes into consideration two well known risk factors for Social Networks: reputation and privacy. The (fake) social reputation of a malicious individual can lure legitimate users to connect with untrusted contacts, after the connection, the poor attention for privacy settings together with a superficial behavior can bring to users to reveal, through the social channel, personal and classified information. This is the reason why resounding examples of fake profiles (with human beings behind) are not new for social networks, for scientific or amusement purposes: the names of Robin Sage and Primoris Era should sound familiar to many.

On the other hand not even the possibility to develop software-based fake social personas is a completely new, at least in theory and, most of all with military purposes, if it is true that the U.S. Department of Defense is developing software personas for propaganda actions inside the Social Network Battlefield.

What is completely new is the fact that no one so far had been able to show the results of a research done with software based socialbots since, so far, only human fake profiles were used to steal informations.

So what happens when bots, a concept proper of Information Security, meet social networks?

The results, at least for Facebook are frustrating: the above mentioned paper shows that, starting with a socialbotnet of 102 socialbots (49 male profiles and 53 female profiles) controlled by a single botmaster, the researchers were able to infiltrate Facebook, fully automating the operation of the Socialbotnet (including fake accounts creation).

The average success rate was 59.1%, with peaks close to 80%, which in several cases, depending on users’ privacy settings, resulted in privacy breaches (harvested data included email addresses, phone numbers, and other profile information with potential monetary value). Even worst, collected data included also private data of users who had not been infiltrated, but were only “guilty” to be somehow connected to infiltrated users, with an average collection day of 175 new chunks of publicly-unaccessible users’ data per socialbot per day.

The infiltration turned into 8,570 connection requests in a timeframe of 8 weeks with 250 Gb of data collected. Moreover the Social Network Defenses, such as the Facebook Immune System, resulted not effective enough in detecting or stopping the infiltration as it occurs: they were effective only when users were able to recognize the fake profiles and mark them as spam. Curiously this happened only in 20 cases (nearly the 20% of the total), all related to female profiles.

From the users’ side, (an easily predictable statement) the research confirms that most users are not careful enough when accepting connection requests sent by strangers, especially when they have mutual connections (the so called triadic closure principle, one of the foundations of the Social Networks).

Personal and Professional Social Networkers (and organizations that are approaching Social Networks) are advised!

About these ads

Social Reputation On Sale

May 21, 2011 1 comment

Would you buy an used car from a Girl Like That? Mmh… probably she is not the best person for this kind of deal, but I grant you that if you wish to buy some pounds of social reputation on sale she is just the right (virtual) person. You only need to go on Twitter and search for @JuliannaAlln to understand why…

Some hours after publishing my last post about Mr. Obama’s speech and its implications for Revolution 2.0 (thanks to @brunehel for suggesting this intriguing name) I received a strange mention from @JuliannaAlln:

@paulsparrows: I just saw your tweet about Linkedin. This site is great for adding LinkedIn connections: http://is.gd.dfnfQV

Tweet about Linkedin? It sounded strange to me, even if in a certain sense the last tweet mentioned Social Networks, it had (nearly) nothing to deal with LinkedIn.

I could not help noticing the attractive young girl on the picture (a typical stereotype of social honeypots), and consequently at first glance I immediately thought about the affair of @PrimorisEra or Robin Sage. Anyway, since it is really unlikely that my unconfessable secrets may be of any interest to someone for the purpose of espionage or whatever else, this idea without rhyme or reason only lasted a few seconds: the truth is far less romantic and is just a click far from the link contained in the tweet.

As a matter of fact the link inside the tweet brings you to Viralso, an Internet Marketing Agency, whose main course consists in selling Social Reputation: with “only” 89 bucks per month you may choose to reach the mentionable amount of 2400 LinkedIn connections (with a Delivery Rate of 200 per Month) or 2000 Twitter followers (understandably, inventing building a social profile on LinkedIn where you must prove the references of your skills is much harder). If instead you want to surprise your friends on Facebook with an endless array of friends, there is no problem at all: with “only” 89 bucks per month 500 new friends (per month as well) will bring you to the noticeable number of 2400 friends. In any case you will be able to become a “social black hole (in the sense that you will be able to attract anything to your profile) with 100% satisfaction guaranteed.

Analyzing the matter more seriously, I find that this is only the latest implication of the polymorphic main concern of social networks which is Reputation, from a security perspective (may you really trust who you are talking to?) but also from an individual and (real) social perspective. In particular from an individual perspective the social reputation (and social impact and credibility) is not built upon what one individual is (because the real identity is hidden behind an avatar) rather than upon the number of friends, followers or contacts, one individual is able to show, even if there is no way to prove the real identity of them. If I cannot show or prove who I am I can only use indirect tools (i.e. my contacts) to build my reputation.

The worrying thing relies on the fact that apparently there is no difference between personal and professional social networks: I might also understand the presumption by “virtual flirt hunters”, of flaunting thousands of Facebook friends to impress unlikely preys; unlikely I hardly understand how a huge amount of fake professional contacts on LinkedIn could work, in a social networks where the references, at least on paper, can be verified. Maybe even for this reason the LinkedIn IPO was far beyond the most optimistic expectations (seems to be back at ten years ago).

Even if the agency claims that:

We do not incentivize people to Become a Connection on LinkedIn

We use proprietary marketing techniques to find “real people” that will become a LinkedIn connection.

the qoutes around the term “real people” are more meaningful than a thousand words (and now that I know that the marketing process is based on the strategies used by President Obama, and, most of all, by Britney Spears I feel much more confortable). Actually I really would be very curious to know how the not better defined “proprietary marketing techniques” are able to build the fake profiles, and to check, most of all on LinkedIn, their level of (social) reliability, anyway I must confess that rather than trying it, I much prefer to spend my bucks (or better my Euros, or Euri how we say in Italy) for a real social life, for instance with some real friends and a fresh beer…

Social Espionage

Updated on 5/6/2011: Primoris Era is Back!

Few days ago the Twitter Community was shaken by the affair of @PrimorisEra AKA “The tweeter who loved me”, a Twitter user with more than 23.000 tweets and 1300 followers, depicting herself as a young, attractive woman with a keen interest in missile technology and national security strategy. Her sudden departure has subsequently created many questions and concerns about the security of information on the Internet and Social Network. As a matter of fact, more than a few Twitter users who work in national security panicked upon hearing the accusation lodged against @PrimorisEra, since it looks like she (or he) allegedly requested sensitive information using Twitter’s Direct Messaging, or DM, service, persuading several young men on Twitter (and Facebook as well) to divulge sensitive information for more than two years.

Albeit this interesting article explains the (alleged) real story behind, and in a certain manner belittles the spy story, social pitfalls (socialeaks) remain more relevant than ever.

This does not sound surprising to me: as soon as my colleague David told me the story (of course by mean of a tweet), the notorious affair of Robin Sage came immediately to my mind: a fake Facebook (and LinkedIn) Profile of a Cyber Threat Analyst, who  was capable to gain access to email addresses, bank accounts and location of secret military units from her 300 contacts, persuading them to be a 25-year-old “cyber threat analyst” at the Naval Network Warfare Command in Norfolk, Virginia, graduated from MIT, with 10 years of work experience, despite her young age (she was also given private documents for review and was offered to speak at several conferences).

Lesson learned? Not at all, (nearly) every security professional should know very well, at least in theory, the story of Robin Sage and the consequent risks connected with a fickle Social behavior, most of all in those blurred cases when professional and personal information overlaps. Never ignore the first rule: young attractive girls have nothing to do with geeks, even if they often have persuading arguments, sometimes so persuading to tear down the personal natural defenses (the first form of “physical” security), especially in those cases (as in the example of Robin Sage) when other trusted peers have already fallen in the (honey)trap, and consequently appear between the contacts of the fake profile.

Even if @PrimorisEra or @LadyCaesar (another pseudonym of her Digital Identity) is not a spy in the pay of any foreign country, the possibility to use the Social Network for espionage, SecOps, or PsyOps is far from being remote. Indeed is a consolidated practice and may already rely on an (in)famous example: the one of Anna Chapman, the 28 years old Russian Spy, living in new york, arrested on 27 June 2010, together with other 9 people, on suspicion of working for Illegals Program spy under the Russian Federation’s external intelligence agency. One of the noticeable aspects of the whole story was just her Facebook profile full of hot pictures (and equally hot comments) used to attract friends, and probably as one of the ways to grab information (curiously it looks like she did not show how many friends she had, as to say, unlike everyone else, that spies apparently know how to deal with Facebook privacy settings.

Read more…

Follow

Get every new post delivered to your Inbox.

Join 2,994 other followers