Techworld and ComputerWorld recently reported an incident that shows the risks of engaging with strangers via social networks. Thomas Ryan from security company Provide Security (with a generic name like that I feel for their SEO person) created a fake profile for a woman named Robin Sage, who posed as a Navy cyberthreat analyst and tried to befriend around 300 real people in the US military, defence contractors, infosec companies and intelligence agencies. It was a 28-day experiment that was to be showcased at the BlackHat USA 2010 conference, which finished yesterday.
These incidents are a sobering reminder of how easy it is to conduct social engineering for nefarious purposes. Fortunately, no real damage was done other than having the accounts cancelled (Facebook also banned Ryan permanently and closed his account). The fake LinkedIn profile is still visible in the Google cache.
However, DarkReading.com, a security-related website provided more details about a serious incident caused by this fake Robin Sage. A soldier in Afghanistan had uploaded digital photos that were taken during his deployment. While we see such images every day in the news media, getting hold of the actual image file reveals a lot of metadata embedded by the camera. High-end cameras such as my Panasonic Lumix ZS7/TZ10 (well, it’s at the high end of the non-SLRs) also have a GPS receiver that can be switched on to store the camera’s geographical coordinates when the image was taken.
In most cases, the enemy knows the positions of Coalition army patrols in their region, but they usually wouldn’t know where covert, elite units such as the US Army Rangers operate. If a series of images can be plotted on a map to reveal a route, the implications are chilling.
Ryan took some trouble to create a Twitter account some months ago (cached page) and a Blogger account. Robin Sage is the name of the final training exercise before a Green Beret is awarded. He left a few obvious flaws in her profile such as having a 10-year working history and being 25 years old. The attractive photo undoubtedly eased her ability to gain connections, including some who worked in the same facility!
A few weeks ago the US and Russia swapped some spies. The Russians caught in the US included some who faked their profiles – Yahoo News.
According to another article in a military publication Armed with Science Ryan obtained enough information from one of the connections to be able to answer security questions about his bank account such as “what was my first car?”.
Scary, if your online image trail includes your mother’s maiden name (think of genealogy data) and other data that is commonly used to answer security questions. Just because your social network is discussing pets, think before revealing your first pet’s name (particularly if you are using a real name).
Speaking of real names, it is possible for a real person to be impersonated by another. Known as the “evil twin” attack, people who are not active online are particularly vulnerable. Think of everybody you know who knows your date of birth, mother’s maiden name, names of teachers, etc. Other than family, this would include your classmates. Some of them might have photographs of you that can be used to beef up a fake profile. By searching online, it is easy to find references to the victim such as hobbies, sports teams followed, home address, etc. Once the evil twin connects with the friends of the victim using a network such as Facebook, additional connections will come unsolicited, once friends of friends assume they are connecting with someone they know.
There are many types of fake LinkedIn profiles:
The conclusion is obvious. If you have an account at a social networking site, don’t befriend anyone who asks you for a connection. Their profile might be fake. If you work for someone important and they don’t have a social networking account, then get their permission for you to reserve one in their name at all the usual sites. No need to embellish it.
Comments are closed