Attackers can use social applications such as MySpace and Facebook to gain inordinate amounts of information about a company’s employees. Information such as an employee’s hometown, her interests, and even incriminating pictures are available on these sites.
Social applications attempt to prevent unauthorized parties from viewing users’ information. However, social applications and their users benefit from that information being publicly available, making it easier for people to find others who share similar interests without knowing them first. Users of social applications are therefore given an incentive to share as much data as they can; the more data they share, the more they benefit from the social network.
The popularity of social applications such as Facebook and MySpace has grown exponentially around the world. These applications are driving a phenomenal paradigm shift in how people communicate and collaborate.
From an attacker’s point of view, a wealth of information is available from profiles on social networking websites. An attacker can obtain an amazing amount of information without even having an account on some social networking applications, such as MySpace. Alternatively, an attacker can easily create an account to gain the ability to interact with a targeted individual. For example, an attacker may send friend requests to an employee of a specifically targeted company to gain additional knowledge of the company.
Social applications have many inherent weaknesses despite all of the security built into them. For example, after browsing to Facebook.com, an attacker can click the “Forgotten your password?” link and select the option of not having access to his login email address. (This option is legitimately available for Facebook users who do not have access to their original email account and those who have forgotten their Facebook credentials.) Figure 1-7 shows the page the attacker sees in this situation. The attacker can obtain the requested information from the targeted individual’s Facebook profile. If it is not accessible, the attacker can use another social networking site, such as LinkedIn or MySpace.
Once the attacker has obtained and submitted this information, he is presented with Figure 1-8. The additional “private” information being requested in this example is the target’s college graduation year. Figure 1-9 shows the target’s graduation year, obtained from her LinkedIn profile.
Once the additional information has been submitted, Facebook sends the attacker the email shown in Figure 1-10.
The attacker responds to the email, as requested by Facebook. After a few hours, the attacker receives another email describing how to change the password on the account. This example shows how easy it is to use the biographical information posted on social applications to break authentication mechanisms.
Attacks such as this are becoming more frequent and are gaining media coverage. During the 2008 presidential election, the attack on vice presidential hopeful Sarah Palin’s Yahoo! email account received abundant media coverage. Figure 1-11 shows a screenshot of a forum post describing how the attacker found all of the necessary information to defeat Yahoo!’s security reset mechanisms.
Twitter is a microblogging application. A microblog consists of small entries that users post from “connected” devices. More and more people are using Twitter to collect their thoughts about different things they encounter and post them to the Internet. Messages on Twitter are often unedited, informal, and off-the-cuff. Because of this, the information has a tendency to be very accurate and genuine.
An attacker can use Twitter’s search interface, http://search.twitter.com, to search Twitter messages given a specific keyword. Depending on the target, it may be beneficial for attackers to seek information about a specific individual or organization.
In February 2009, Pete Hoekstra, a member of the U.S. House of Representatives, used Twitter to update his precise whereabouts while traveling to Iraq. Figure 1-12 shows Hoekstra’s message.
It is clear from this example how the information individuals put on microblogging channels can aid attackers. In this case, the information Hoekstra twittered could have aided terrorist efforts that may have jeopardized his security. Messages posted on microblogging channels such as Twitter are therefore extremely important and useful to attackers.
Note
For more information on the Pete Hoekstra incident, see “Pete Hoekstra Uses Twitter to Post from Iraq about Secret Trip” at http://www.mediamouse.org/news/2009/02/pete-hoekstra-twitter-iraq.php.
Get Hacking: The Next Generation now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
