Part 11 (1/2)
Study findings.
60.4% of USAF personnel posting on Mys.p.a.ce have provided sufficient information to make themselves vulnerable to adversary targeting (Figure 6-2), including seven critical variables of information: First name Last name Hometown Home state Duty location Public account Job type 25.4% were found to be fair targets, and only 14.2% were found to be poor targets (not vulnerable).
Figure 6-2. 60.4% of 500 partic.i.p.ants were vulnerable to adversary targeting.
TwitterGate: A Real-World Example of a Social Engineering Attack with Dire Consequences.
On May 1, 2009, a French hacker going by the alias of Hacker Croll announced that he had penetrated Twitter's security and accessed its company records. (Twitter is a popular microblogging service.) Screenshots of a few of them were posted as proof on a forum at zataz.com, a French website.
This was the second time in 2009 that Twitter had a breach in its security (the first being in January by a hacker named GMZ), and also for the second time, Twitter CEO Evan Williams announced that a ”thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data” would be done.
Williams also claimed, much to Croll's chagrin, that no important files were accessed, nor was anything taken.
Deciding to teach Twitter a lesson and provide a warning to corporations everywhere, Croll sent a zipped file of over 300 Twitter doc.u.ments, including financial statements and executive memos and meeting notes, to TechCrunch, a popular and influential IT website owned by Silicon Valley entrepreneur Michael Arrington.
TechCrunch created a firestorm of controversy on July 16, 2009, when it published a number of the stolen doc.u.ments on its website.
TechCrunch followed that up with a detailed accounting of exactly how Hacker Croll accomplished his break-in. He didn't use any hacking tools, Croll told reporter Robert McMillan for a May 1, 2009 article for IDG News: ”One of the admins has a Yahoo! account, I've reset the pa.s.sword by answering to the secret question. Then, in the mailbox, I have found her [sic] twitter pa.s.sword,” Hacker Croll said Wednesday in a posting (pany with emphasis on creating an employee list.
For every employee identified, he looked for email addresses, birth dates, names of pets, spouses, and children.
He began accessing popular web services that each employee may have had an account with (e.g., Gmail, Yahoo!, Hotmail, YouTube, Mys.p.a.ce, Facebook, etc.), and using the discovered email address as the username (which frequently is the case), he initiated steps to recover the pa.s.sword. Pa.s.swords are often answers to standard questions, such as ”What is your mother's maiden name?”, or the service may provide an option to email the forgotten pa.s.sword to a secondary email address. This is where Hacker Croll's patient discovery of personal data combined with flawed security design and sheer luck to enable a successful hack.
Croll tried to access a Twitter employee's Gmail account. He opted for emailing the forgotten pa.s.sword to a secondary email address. Gmail provides users with a clue as to which email address they had picked by obscuring the first part but revealing the service ([email protected]). Once he saw it was a Hotmail account, Croll went to Hotmail and attempted to log in with the same username. Here is where luck stepped in: Hotmail's response to Croll's login attempt was that the account was no longer active. Croll immediately re-registered the account with a pa.s.sword that he picked, then went back to Gmail and requested that the forgotten pa.s.sword be emailed to the secondary account, which Croll now owned. Gmail reset the pa.s.sword and sent out a new one to the Hotmail account, thus giving Croll full access to a Twitter employee's personal email.
His next task was to discover the original pa.s.sword and reset it so that the employee would never suspect that her email account had been hacked. Thanks to Gmail's default of storing every email ever received by its members, Croll eventually found a welcome letter from another online service that, for the member's benefit, fully disclosed her username and pa.s.sword. Recognizing that 99% of web users stick with the same pa.s.sword for everything, he reset the Gmail pa.s.sword to the one he just discovered, and then waited for the Twitter employee to access her Gmail account. Sure enough, the employee soon signed in, sent a few emails, and signed out, never suspecting a thing.
Now armed with a valid username and pa.s.sword, Croll dug further into the employee's Gmail archives until he discovered that Twitter used Google Apps for domains as their corporate email solution. Croll logged in with his stolen employee username and pa.s.sword and began searching through all of that employee's company emails, downloading attachments, and, in the process, discovered the usernames and pa.s.swords for at least three senior Twitter executives, including CEO and Founder Evan Williams and Co-founder Biz Stone, whose email accounts he promptly logged into as well.
Croll didn't stop there either. He continued to expand his exploitation of Twitter data by logging into the AT&T website for cell phone records and iTunes for credit card information. (According to the TechCrunch article, iTunes has a security flaw that allows users to see their credit card numbers in plain text.) The end result can be seen online, as TechCrunch published some of the stolen information, and the rest will probably find its way online eventually through other channels.
Although this real-life example of computer network exploitation (CNE) did not involve a government or military website, the essential process is the same. Had this been a successful SQL injection attack instead of a pure social engineering attack, all of the usernames and pa.s.swords would have been discovered in a matter of minutes and a full dump of the contents of the company's database would have occurred.
Twitter may soon become the world's largest SMS-based channel of communication. It is already being exploited by the intelligence services of numerous nations, thanks to the publicity that it has received during the Iran election protests and last year's Mumbai terror attacks. One of the many take-aways from this unfortunate event is that the users of social software applications (Twitter, Facebook, etc.) should immediately inst.i.tute strong pa.s.swords and usernames and change them frequently, and each user should be more cognizant of the amount of personal data that he reveals in cybers.p.a.ce.
Automating the Process.
The advent of social software and its rapid popularity has transformed the way that intelligence organizations around the world can collect information on their adversaries.
Both the United States and the Russian Federation armed forces have been struggling to find a way to prevent, reduce, or control the spontaneous writings of their troops on their personal web pages in a variety of social media, which often reveal far too much information on matters impacting OPSEC. If this information is sc.r.a.ped, filtered, and aggregated properly, it can easily provide an asymmetric advantage to one's enemy.
For an intelligence operative who is seeking to recruit and turn a person employed in a sensitive position, social software is a dream come true. No longer do case officers have to rely solely on arranging in-person meetings or one-to-one engagements to build relations.h.i.+ps that may lead to turning a foreign service officer into an espionage a.s.set, for example.
Today, almost the entire recruitment process can be done online, from finding likely candidates to building out a profile, to crafting an online presence with a backstory that will act as a suitable lure.
The new case officer might very well be a social network a.n.a.lyst familiar with the open source information retrieval library called Lucene, Hadoop for scaling thousands of nodes of information, and Nutch for data retrieval, parsing, and cl.u.s.tering-all fed by the APIs that each social software service have conveniently created to entice developers to build new, fun applications on top of their platforms.
Spook Finder 1.0, anyone?
Catching More Spies with Robots.
A more sophisticated alternative is the use of robots (bots) that, with the right programming, can appear online as a genuine person.
The following content was provided by a Russian technologist and member of the Project Grey Goose team at my request. It represents, at the time of this writing, a serious and emerging threat present on Russian social networks, but Project Grey Goose investigators expect to see these capabilities migrate over to Facebook and other social software sites in the very near future.
The automation and virtualization of social network ent.i.ties.
Automation and simulation of artificially created activities performed inside Russian social networks (vKontakte.ru and Odnokla.s.sniki.ru) are virtualizing communication to the degree that one cannot be certain of who he really is becoming friends with.
In a normal social network scenario, a user would create a profile, upload a couple of pictures, record his ties to universities and/or place of work in the profile, and, for the most part, then be ready to find and begin socializing with friends or colleagues. But how does one tell the real thing from a virtual mock-up?
That is what's happening right now in the Russian social networks VKontakte.ru and Odnokla.s.sniki.ru. Virtual ent.i.ties are pretending to be real people in a way that enables criminals to gather personal information from the unsuspecting.
If a social network relies on a system of ”votes” or ratings to validate trust, getting most of them to elevate the ”trust” to an adequate level already can be automated.
If a site is vulnerable to a cross-site scripting attack, thousands of users can be affected within mere seconds, just by pus.h.i.+ng a b.u.t.ton on the operator's workstation.
If a group of people does not like a particular partic.i.p.ant or the site itself, it takes only 10,000 rogue users connecting simultaneously to bring the server down and cause denial of service attacks.
If one needs a user's trust or pa.s.sword (which is very close to being the same thing in certain circ.u.mstances), there's nothing to prevent the operator to invite unsuspected users to a social honeypot, a virtual society created by the attacker to lead ”the herd” to adversarial actions.