This is the first of what is intended to be a three part series. I’ve used this space to talk about the concepts of Open Source Intelligence using Social Networks with the early analysis focused on LinkedIn (Part 1, Part 2).
This weekend when Mike Arrington created a fake Eric Schmidt (CEO of Google) on Facebook, I was reminded of a few other attacks. He put a tiny new spin on it by using a believable email address but he missed some subtle cues that could have made it much more convincing and therefore devastating.
First of all, the style of attack that Mike did is pretty old news. Since some of the darker parts of the web have been doing these for *years*, I’m going to cover them in great detail here. Hopefully people can take steps to better protect themselves. Anything detailed here that might be illegal is neither condoned nor encouraged by me, anyone I work with, nor my ferocious kittens. I highlight it here for analysis only.
I first saw this one in action almost four years ago (early 2007). Facebook was mostly college-only and Myspace was still a behemoth but starting to fall. The overlap between the two groups of users was pretty low but growing quickly. And that was the important part:
The first step was to find someone that was on Myspace but not on Facebook. Then, create a Facebook account for them. Since most people are polite enough to fill out their interests and basic background – like age and high school – building a convincing Facebook profile would be trivial. And most likely they’ve posted pictures of themselves on Myspace, so you could even find a picture or three of them.
Next, look at their friends on Myspace and track them down on Facebook. Ideally, you’d choose a handful of the most connected people.. or a cluster of people with some common tie that isn’t too specific. All in the same garage band, family members, or people from their current job would be bad. If they were all at a high school and that was a few years ago, fantastic. You want believable connections but preferably not someone they interact with too regularly.
Once the first few people connect, the rest was the easy part. Each person lends a little bit of their own credibility to the profile. This builds a “Web of Trust” around the profile. As more and more people agree to connect, the profile itself becomes more believable to the point where no one questions it and others initiate connections.
Of course you wouldn’t be fooled by this, would you?
Bzzt. Wrong.
As evidence, I introduce Robin Sage. Robin is a cute 25 year old cyber threat analyst. She worked in the Naval Network Warfare Command in Norfolk, VA. Over a span of two months, she connected to dozens and even hundreds of security specialists, military officers, and people at the US intelligence agencies. Even better, she was invited to speak at a number of security conferences. The only problem.. Robin Sage doesn’t actually exist. Luckily, it was an experiment by a security researcher but he proved his point.
She was completely made up and therefore began with zero credibility.. and managed to fool security professionals.
What if Mike had gone a couple steps further? Could he have contacted people and received sensitive information? Could he have posted as Eric and damaged personal reputations? Could he have “leaked” information that would damage Google in the stock market? Mike has access to a lot of non-public information from various startups, could he have caused problems (or benefits!) for them?
How much more devastating is the attack detailed above?
I’ve also submitted some of this analysis as a Core Conversation to SXSW 2011 under the title “Shattering Secrets with Social Media“. If that sparks your interest, let me know as I’m turning it into a regular presentation for interested technology groups.