Do you know why huskies run together, in harness, in front of a sledge? It’s not because they’re chasing the leader and it’s nothing to do with food, either, or the whip. They run together because they like running together… The scientist who made this discovery said that just as huskies enjoy running together, humans gossip because they like gossiping together. It’s in the make-up of the creature: huskies are sociable running animals; humans are sociable gossiping animals. Neither we nor the huskies can change those core characteristics of our natures. I thought knowing that might help tee-up what we’re talking about today.
Web 2.0 appeals to that facet of human nature: we’re gossiping animals. We’re sociable, we seek companionship however and wherever we can get it. And now we can get it everywhere ... It’s good to talk, and it feels great to share – and not just words, but voices, pictures, videos, music, websites: first with workmates and friends, then with strangers who seem sympathetic. First locally, then nationally, and then, if you like, over the entire planet. There are blogs, where everyone has their own soap box or on-line diary, depending on their personality. And there are wikis, where the knowledgeable (and the not so knowledgeable) share their expertise with the world. Of course, social networking sites have proved to be incredibly popular, with Facebook claiming 750 million members at the last count. Then there’s instant messaging – a sort of on-line text messaging system, and web conferencing - providing virtual meetings and seminars. VoIP (or voice over IP) provides free or low-cost telephone calls via the Internet, and peer-to-peer networks which allow people to share files wherever they are. Together these technologies allow us to share not just text but all kinds of media – photos, videos, music, cross-linking of sites
This slide is a take on our predicament by Bruce Schneier, one of the top industry gurus. What he’s saying is essentially this: thanks to Web 2.0, what we can do online is more or less what we do when, say, we meet friends in a café or pub. Which is gossip about work, or friends. I show you my holiday snaps, or lend you that DVD or CD you wanted to borrow... What happens in the café or pub if a stranger gets too close? We lower our voices. We move away to a table in the corner... But in the virtual world, you don’t know the stranger is at your shoulder, and there’s nowhere secluded to move to. And there’s two other big differences. Everything we say in the café or pub vanishes into the air, and while it remains for a while in our two memories, it’s locked there for a bit and usually fades away. But everything we say and do on-line is imprinted, indelibly and publicly, forever. And it’s searchable, of course, by our old friend Google.
The second difference is that the technology lets us link our all our favourite places together So, to keep the analogy going, we can connect the café to the pub and the restaurant and the bowling alley and the library and the social club and the works canteen... So that when we say something in one of them, either it turns up in all the others, or intruders can make their way from one to the next picking up items of critical intelligence as they go. Which means that a crook who knows what he or she is doing can gather pieces of the jigsaw from the disparate places where we left them and begin to assemble a whole picture. And it’s probably a picture, if you looked at it in its entirety, which you wouldn’t want to share with strangers.
So where are the main dangers? Personal? Professional? Both, I’m afraid. Just look at the kinds of intelligence a skilled hacker can harvest from these sites: intelligence that can be used for impersonation, or to attack an IT system with a virus, or to entrap individuals’ computers without their knowledge and use them to distribute spam or pornography; or to enslave a whole lot of computers and use them to jam a company’s website and hold it to ransom. Then there’s varieties of sensitive and secret corporate information which can be stolen and sold; and crooks can raid your sites to steal your identity and use it for all kinds of nefarious purposes; or seize your passwords and credit card details and empty your bank account... The Web 2.0 industrial spy doesn’t need a set of disguises and skeleton keys. All he or she needs is just a laptop, web-literacy, patience and brainpower.
Robert Hanson [ CEO of SecTheory, a security consulting firm, and who has been working with web application security since the mid 90’s ] points out here how very simple it is to harvest information and Kelly Jackson Higgins [ senior editor at Dark Reading, and who has been called ‘the best connected reporter in security’ ] shows why it’s so easy: in essence, the social sites are open spaces and the users don’t bother to fence them in – or to mix the metaphor, the users are holding great big dinner parties with open front doors and letting anyone who wants to come in and join them at the table. Have you done anything to secure your social sites? Most people try but don’t know whether they’ve ever done quite enough, and to be honest, the sites themselves hardly make it a front page issue with an easy-steps guide, do they? There are an awful lot of settings to contend with, but also (some would say) it’s in the interest of social networking sites to have people expose their personal information. After all, selling personal information and targeted advertising is how they make their money! Can we boil down all these vulnerabilities to a single factor? Yes - it’s about our psychology: our innocent, trusting nature.
Do you use Twitter? What kind of things do you tweet to your vast army of followers? Do you tell your select group of fans what you’re doing, thinking... Tell them where you are, ever? Here’s a true story from a client: A young lady started to receive emails at work from an anonymous Hotmail account. At first they were annoying but the emails continued over a period of time (perhaps some weeks). It came to a head and caused some distress when the girl received an email which said something along the lines of &quot;you looked gorgeous in your gym-kit last night&quot;. We were then contacted by her line manager and asked to investigate. We were unable to trace the source or the sender of the emails. A Google search on the girl's email address took us straight to her Facebook profile which he accessed and discovered that her contact email was her employer’s email address, her presence at the gym and a variety of social events were advertised and her photo albums contained photos of her at some of those social events …The girl was informed and the emails stopped abruptly (as far as we know).
Here’s a real world example of how posting your location on social networking sites can result in burglary. Legal and General’s survey of more than 2,000 social media users in the UK showed that people just don’t think about the risks of what they post!
Let’s move on from tweeting to twocking. If you don’t know, it’s police slang. T.W.O.C stands for “taking without the owner’s consent.” Only in this instance we’re not talking about twocking a car, but an ID. Now, in the example on the slide, which is two guys working a couple of conferences, the ID was twocked with the owner’s consent, but the theory concerns “without” Let’s suppose we’re con artists. We find a desirable person, and we pinch his photo from here, and his biog and CV from somewhere else, and his blog from another site again, then we go to an online business forum where he doesn’t have a presence, and we bring it all together and put him there large as virtual life – only the traffic from that forum comes back to us. If the person behind whose ID we’re now masquerading is, as I say, one with desirable intellectual or commercial goodies, then a lot of folks will want to link up with him, and their lives, their secrets and their goodies might be ours for the taking.
You should always make sure that anyone you connect to really is who you think they are. Impersonation is an online epidemic. Sometimes the motives are criminal and sometimes they’re just plain malevolent, and sometimes they’re a mixture of both. Once tricksters or fraudsters have stolen a Facebook ID, and it happens all the time, then they’re got a route through to all the victim’s friends, and maybe they send them a video clip with “hey, you have to look at this”, and once the friends open up and look, in comes the Trojan and down comes the malware onto their machines. Be circumspect, be cautious. Ask yourself, “would he, would she, really send me this? Is this typical behaviour?” Fall back on an old technology. Make a phone call. Ask and check. I’ll give you another human vulnerability that’s there for the exploitation. “I can’t be bothered.” So you don’t check “I’ll take it on trust.” So you hit the key and it’s “bye bye security, farewell identity.”
Facebook and sites like it are pretty generous hosts – actually, a harsher description would be undiscriminating hosts – not just for you, but for outsiders offering games, quizzes, services, all kinds of apps Some of them aren’t the harmless fun they pretend to be. So your basic rule is always, if in doubt, check. And if you can’t check, say no – say no, in particular, to anything that’s appealing to your baser instincts – sex, greed, something-for-nothing, because that’s precisely where the scammers hope your reaction will be “oh, what the heck? I’ll take it on trust.” Like the “secret crush” scam. Who wouldn’t be tempted to find out who had a “secret crush” on them? But then you should think, “wait a minute, why do I have to get at least five friends to join in before I find out who is this lunatic who fancies me?” Why else, if not to lure five friends and then five more and five more again into the same trap and spread the virus.
A security expert called Graham Cluley created a fake profile of a small plastic frog called Freddi Staur (which is an anagram of ID Fraudster) and invited strangers to become Freddi's friend. And sure enough scores of people accepted the invitation, and many of them revealed their full names, addresses, dates of birth, phone numbers and even - in one case of a real klutz - their mother's maiden name. Freddi Staur ate my ID. Identity theft is a real and present danger on social sites and it takes on average 6 months for victims to restore their credit rating! Then you get spam and bot infections where attackers hijack Facebook accounts and send messages to the victims’ friends to dupe them into viewing a video clip link, which, once they open it, turns out to be a Trojan that silently downloads malware onto their machine. The crossover of personal to professional online presence is something you have to watch out for like a hawk: Even if you keep a Facebook account for personal use, and a LinkedIn one for professional networking, there’s no guarantee that those late-night partying pictures aren’t going to end up in front of your colleagues on LinkedIn, or worse, your boss. So don’t post anything on the one that you wouldn’t want to turn up unannounced in the other. And real Fredi Staurs with their eyes on crime could eat up the organisation’s secrets as well – both from information you accidentally broadcast to the world on a social networking site and by using your details to conduct a social engineering attack - take a look at this next slide …
Social Networking - An Ethical Hacker's View
Social NetworkingAn Ethical Hackers’ View Peter Wood Chief Executive Officer First•Base Technologies LLP