Inside Cyber Warfare - Jeffrey Carr [89]
In his blog post on the subject, Jeff points to Facebook as an example of what channel consolidation might look like:
Facebook makes a great example of channel consolidation. All your emails, instant messages, status updates, past/present/and future travel, annotated photos, your social circle, memberships, self-expressed interests, and more...all bundled together in one nice little package, under your user account. Traditionally such life details are expressed on diverse channels—unobservable to any single entity. No more. Facebook, with this panoramic view of its users, now likely has a substantially more complete picture of a person than almost any other single entity.
How powerful is this? Here is one example: if you are a Facebook user maybe you have noticed the increasingly (spooky smart) relevant ads. I get ads that read “Are you 44, a triathlete, and want abs like this?” Or a well-timed ad over the summer when I was in Southern California that read: “Are you looking for a triathlete coach in the Orange County area?” It is so relevant I find it very hard not to click on the ad! (Be assured I do resist.)
The more sense Facebook makes of users, the better the service, the more folks will find Facebook irreplaceable, the more users will flock to the platform, and last but not least, the more advertisers are willing to pay. Everyone seems the winner.
An Adversary’s Look at LinkedIn
LinkedIn and other social networking sites are essentially trust networks, but with little in the way of authentication. Therefore the obvious question—how reliable is the trust that is extended?—remains a difficult one to answer.
Nitesh Dhanjani, a computer security expert who specializes in the financial sector, believes that the problem will grow worse and that our privacy, reputations, and identities are stake. (See his book Hacking: The Next Generation (http://oreilly.com/catalog/9780596154585/) [O’Reilly]).
Nitesh points to LinkedIn as an example. Imagine that you are a consultant with a profile at LinkedIn. Your contact list represents intellectual property and you want to protect it from the prying eyes of your competitors. At the same time, it may benefit you to share that property in a way that is mutually beneficial. This requires a way to authenticate the identity of each member, something that doesn’t yet exist on any social networking site, including LinkedIn.
From an adversarial point of view, how would one take advantage of this situation? Since LinkedIn builds its identity-management structure around email addresses, a social engineering hack would probably take advantage of that. Email addresses are easy to spoof, so all one needs to do to access a target contact list is to get the target to connect with a fake LinkedIn account. Here is the process that Nitesh imagined:
Think of an individual the target LinkedIn member may know but who doesn’t yet have a LinkedIn account.
Create an email address with the name of this individual, such as firstname.lastname@yahoo.com or firstname.lastname@gmail.com. You can go as far as creating a similar looking domain name of the company the individual may work at (for example, @applee.com, @app1e.com, etc.).
Create a profile on LinkedIn with the name and email address of the individual.
Send an invitation to the target using the new LinkedIn account, and wait for the target to accept.
Bonus: other people the target is connected to will notice that he or she has added a new friend (the individual you picked). Should the individual happen to be a mutual friend of these people, they will likely attempt to connect to your new LinkedIn profile, offering you even more details about the target’s network.
Once connected, the circle of trust is established and resources begin to be exchanged, partly facilitated by LinkedIn’s own user interface and partly out of enthusiasm of