How to Fool a Security Researcher
…Andrew Lee conducted a fun but disquieting thought experiment in the course of an amusing and informative presentation on user education at the recent Virus Bulletin Seminar…
This is a (slightly edited) extract from the November ThreatSense Report, included here as it makes a very serious point about social networking,
Andrew Lee conducted a fun but disquieting thought experiment in the course of an amusing and informative presentation on user education at the recent Virus Bulletin Seminar.
Most security researchers have an innate distrust of Facebook, and perhaps all social media. Facebook, though, is particularly untrusted, by virtue of its founder’s habit of putting his foot in his mouth, and some unfortunate system/administration slip-ups, but most of all due to the fact that it continuously walks a line between its core business (sharing customer information) and its duty of care to protect its customers from inappropriate disclosure. Does anyone think it always gets that balance right? Thought not…
Nonetheless, some researchers do have Facebook accounts, and may have more than one reason to do so: research into current FB issues, a means of disseminating security and product information, an extra channel for communication with other researchers, or a combination of these. Some, believe it or not, even use it as a way of communicating with their friends and relatives, just like everyone else. And you’d think that in general, they’d probably be more careful about security and privacy than most. Well, in general, they are. But…
Andrew’s presentation made use of a flaw affecting Facebook’s signup procedure (no, we’re not going to tell you what it is for obvious reasons, and we expect it to be fixed very shortly in any case) that was used to set up an account in someone else’s name (an individual well-known in the AV industry) without his knowledge. Then the conspirators used that account to invite a number of people to become that person’s FB friends. During the presentation, Andrew used a live demo to illustrate how many (security) people had responded to the bogus overtures. And yes, several of them were in the room at the time.
Earlier in his presentation, he’d described three of the main human “vulnerabilities” exploited by social engineers: fear, trust, and greed. This was certainly an illustration of how a violation of trust can cascade: as more people accepted, so the likelihood increased that someone else who received the invitation would be put off their guard when they saw that they had N mutual friends. However, he also made use of another of the “seven deadly vices” I described in a1998 EICAR paper on social engineering: that is, curiosity. The individual whose identity had been spoofed is well-known as one of the least likely individuals in the security industry to start using Facebook, so it was natural that people were curious to see what “he” was up to.
However, no damage done: it wasn’t a real attack. And in any case, it’s reasonable to assume that people whose jobs are focused on security and privacy will be reasonably careful in choosing what data they will publish on Facebook or similar semi-open networks, and the latitude they will allow the company in sharing it. And this particular loophole is expected to be closed, as already mentioned. However, there are many ways of spoofing identities in social networking. What ways are there to minimize the risk?
Well, in this case, it would have made sense for more people to have confirmed that the invitation was genuine (that is, from the person it seemed to be from) using an “out-of-band”, trusted and trustworthy communication channel. Perhaps an email or instant message to a known “good” address, or even (good heavens!) a phone call. Bear in mind, though, that email addresses and phone numbers can also be compromised. It may not seem likely that an attacker would try to manipulate all these channels, but what if you were being used as the target or vector for an individually targeted attack? Teams assembled to target government departments, SCADA facilities and the like are often both knowledgeable and well-resourced (think Stuxnet).
Footnote: a tip of the hat to Pamela, for reminding me that in Australia, there is legal precedent for regarding legal documents delivered via Facebook as “legal and binding“: this demonstration illustrates just why that precedent – based on the naive assumption that because Facebook requires account holders to use genuine identities, that will always be the case – is fundamentally flawed.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow