The Dark Alleys of a Virtual World

Posted on 23.03.2012 by t0t4lk40s
Future_City_Concept_by_frenic

DeviantArt: "Future City Concept" by frenic

In this modern world full of technology at every corner, life is wonderful as you surf the Internet. It is a virtual city full of excitement and thrills, just like any city in the real world. But, in the real world, there are also dangers lurking around every corner: A conman here, a creepy guy there. You would take precautions in the real world to avoid these potential dangers. Shouldn’t you do the same as you and your family travel through the virtual city?

There are many threats that populate this new, digital world known as the Internet. And several of them would not be very dangerous were it not for the human psyche. It is because of this quality that many of the threats become a large vulnerability and pose a big threat to our safety, our security, and more importantly, our children. In fact, even Stephen King knew of this well enough to write, “The trust of the innocent is the liar’s most useful tool.” These flaws are being constantly exploited by a threat known as social engineering which takes advantage of how people behave in order to compromise our security and safety. It does this by using tools such as phishing and pharming, social networks and false identities, and even ourselves, in order to gain trust, gather information, persuade a victim to do something or go somewhere to meet, and to accomplish their devious goals.

Imagine this scenario, you are looking through your emails when you see that your bank has set up a new security feature and is asking you to send them your password in order to migrate to the new server. Or they ask you to login to the bank in order to fix some error with your account. How many times have we clicked on a link provided without really paying attention to where the link leads? Metaphorically speaking, if you were buying a car Phishingat a car lot, would you happily buy a car, as is, without inspecting it, then realise entirely too late that it didn’t have a motor? Then why would you click on a link without inspecting it first? This is the basic setup of a technique known as phishing and works primarily because of the tendency of most to trust in others since it seems they are just trying to be helpful.

Phishing, which is pronounced the same as “fishing”, uses a similar principle as the sport. A phisher places bait, perhaps by sending an email that looks like your bank or email account, and asks for your login information. Once you, the fish, take the bait, it gathers your information for the phisher to use and be able to access your accounts. Another form of this technique is called pharming, which takes it a step further. It uses malware, such as a virus or Trojan, in order to take over your computer. Once infected, your computer thinks it is actually taking you to the correct page, but is taking you to a false page set up to look like the real one. This is an old trick, which surprisingly, still works quite well and attackers continue to use it and benefit from it.

One of the most popular versions of this social engineer attack, the Koobface virus, which is an anagram of Facebook, is a primary example of how pharming works. A normal user receives a post or email stating there is a video or photograph that they must watch, and is most likely sent to them by their friend. The message looks interesting, and since it came from a friend, it should be safe. Curiosity, being another part of the human tendencies I am writing about, motivates them to finally open the video. As they click on the video, a popup appears warning them that an update is required to view the video. This is where many fail to see the danger and click on the link. What they think is an update, is in reality the actual virus being installed with the user’s full permission. Once installed, the virus may perform a variety of tasks, to include capturing user’s saved logins and passwords, redirecting of their web browsers, sending secret transmissions to other infected computers as well as other functions. Once the user’s information is sent back to the attackers, the attacker can then pose as the user, login, and post another copy of that virus or send it to all their email friends in order to start the cycle over again. A security entry in Microsoft’s portal added that the new version also had the ability to send chat messages, post status updates, as well as comments. In 2010, Joel Yonts from the SANS Institute wrote that, “The Koobface family of malware was first documented by researchers in mid 2008 and has trended as one of the top infectors throughout 2009 up to… early 2010. [It’s] primary propagation method is through social networking sites such as Facebook, Twitter, MySpace, and Friendster.”

Lana Turner

Lana Turner

Another form of social engineering tends to be a bit more personal and is a technique we have all seen, yet many still fall prey to it. Though this technique has evolved and adapted to the Internet, it is not a new technique by any means. In various movies, a nice person, stereotypically a seductive person of the opposite sex, sweet talks a target in order to get information or access to a certain location. They smile, act friendly, even offer the person some drinks and complements them in order to gain their trust. Once they are talking openly, they start asking small questions that would seem trivial or casual to unsuspecting souls. In the military community, there is training known as OPSEC and SAEDA which teach you to be aware of warning signs. Whereas in the movies they make it clear that they are a bad person and are up to no good, in real life the signs are a lot less defined, even more so on the internet where most of the time you may not know who is truly on the other end of the conversation.

Although social networks are wonderful sites to meet new people, especially for people who are uncomfortable at social events, this is perhaps the most dangerous when it comes to the Internet. Social networking has become a common routine for most. Between networks like Facebook, Twitter, and other sites, the potential that many have talked openly about private matters with complete strangers is frightening. I also believe this is the most dangerous because this is where the highest concentration of children resides nowadays. The problem with this is that online predators are aware of this and might take advantage of the fact that they do not have to post their real information in order to be accepted into people’s pages. Children, not knowing any better, will accept people as friends just because they say they are friends or because they mention they like the same things or have the same interests.

Beware of online predators!!!

In a study conducted of 1,501 teens, “Most youth readily admitted they were not certain of the ages of solicitors they met online. Eighty-five percent of youth whose contact with perpetrators was limited to the Internet said they were not at all, or only somewhat certain of the solicitor’s age.” A big fix for this would be for parents to teach the old streetwise tactic of “Never talk to strangers!!!” If it worked in the real world, it should work on the web. Sadly, however, since the person in question is not in front of them physically and they posted that they were located in another state or country, the threat seems more distant and gives parents and children a false sense of security and trust. Once an online predator has gained trust, they start being regarded as friends, which puts them in the position of being able to start gathering information or becoming closer. Many adults know the other phrase they used to teach kids, “Don’t tell anyone you’re home alone.” Unfortunately, this message seems like a moot point as a study conducted by the Rochester Institute of Technology in New York shows that “16% posted personal interests online, 15% posted information about their physical activities and 20% gave out their real name. In addition, 5% posted information about their school, 6% posted their home address, 6% posted their phone number and 9% posted pictures of themselves.” Now you may be saying, “Teens will be teens!” However, the truth, according to statistics provided on the Internet Safety Awards website, is that “42% of children ages 3-11 were online in 2008, accounting for over 15.4 million children. The number [was] expected to reach 15.8 million children in 2009, and projected to climb to 16.6 by 2011.”

Until this point I have pointed out social engineering whereby a complete stranger manipulates and exploits human flaws of trust in order to deceive and gather information or attempt to get the victim to perform a certain action, in the case of adults, give them your pin, your passwords, hand them money, send them your credit card and social security number and more. On the scarier side, I have also pointed out how unknown predators use social networking sites to gain the trust of children in order to use social engineering in a more frightening manner: Find out what they like, are they alone, where do they live, earn their friendship, and worse, perhaps meet them somewhere. What about my third reference? Surely I didn’t mean ourselves! As a matter of fact, yes, yes I did.

Chris Cox, president of the Operations Security Professional’s Association (OSPA), wrote that George Washington had once commented that “even minutiae should have a place in our [secure] collection, for things of a seemingly trifling nature, when enjoined with others of a more serious cast, may lead to valuable conclusion.” And Sun Tzu’s strategies seem to supplement it perfectly by adding, “Pay attention to small, trifling details!” Nowadays, whether you are on Facebook, Twitter, or some other site, the odds are that you have posted something that might be a piece to a bigger puzzle. For example, a wife posts that she is excited about her husband coming home next week. Her husband posted a comment on his site that he is currently in the middle of country X. Another Soldier stated that his company is leaving next week on Wednesday. Another posted a picture of his company posing in front of the flag during their stay at country X.

So, without any interaction with the bad guy, this unit has basically given the enemy a plethora of valuable information. He now knows that a Soldier, who belongs to a certain unit, will be deploying back on a certain date. He even knows how large the company is just by looking at the company photo that another Soldier has posted. All he has to do now is wait to see if other units are also leaving and how many troops there are to get a semi-accurate figure, all without wasting any effort in getting the information besides looking at people’s web pages. Another example, in case the military one does not associate with you. How many friends have ever posted photos of themselves and where they live, stated that they live in City M, on Y Street, that they just painted their house or planted a new tree, and that they are excited that they’re going on vacation in a few days? Now, a thief by knowing where they live, what they look like, that they just painted their house and are planning on not being there, has more than a potential invitation to rob the place. If the last two examples don’t associate with you, I’ll throw in two for you sports fanatics. In football, how many times have you heard the quarterback shout out, “OK, I’ll be throwing the ball to number 37 on the left!”? Or have you ever heard the pitcher of a baseball team exclaim, “OK, I’m going to try and trick you by throwing a curve ball next!”? I haven’t and, odds are, neither have you. That is because they understand the dangerous consequences of giving the opposing team a large advantage by giving out too much information and letting them prepare for what’s to come or where to attack.

Hugh Laurie as House, MD

Unfortunately, this is not the end. Not only do we hand over data by posting it publicly for the whole world to see, but most of us betray ourselves by looking for the easiest way out when it comes to security. House, MD said it best when he said that, “People choose the paths that grant them the greatest rewards for the least amount of effort.” We create easy passwords that we associate with a partner’s or child’s name, a favourite sports team, a birthday or anniversary, your pet’s name and many others. According to Ashlee Vance from the NY Times:

One out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data…[Amichai Shulman and a company called Imperva] examined a list of 32 million passwords that an unknown hacker stole…from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace…[and] found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.” More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

What’s even worse is the fact that most people tend to not only make the mistake of putting too much information on the Internet, but they compound the danger by using the same weak password on every one of their accounts, the very same password that most likely other users have employed. This can be serious because once a hacker discovers a password that works he is then able to access all the other accounts as well. These are the techniques that several hackers used in order to gain access to Twitter back in 2009. In the first attack, according to a Wired.com article from 2009, an 18-year-old hacker admitted to hijacking multiple high-profile Twitter accounts, including President-Elect Barack Obama’s, and the official feed for Fox News. The hacker said he gained entry to Twitter’s administrative control panel by pointing an automated password-guesser at a popular user’s account. The user turned out to be a member of Twitter’s support staff, who’d chosen the weak password “happiness.”

In the second incident, several months later, a hacker was able to guess the answer to the secret question in order to reset the password to a Twitter administrator’s email account. Once he was able to compromise that account he found the password to the Twitter administrator’s tool in an email and was able to access Twitter’s information.
Finally, they can also use a combination of the techniques above in order to take over your identity. A crook, much like in the second Twitter story, is able to access your email account by finding your simple password. Once he logs in as you, he then attempts to use that same password on your other accounts, most likely your bank. If the password works, success! If not, all he has to do is request a password reset, since most likely it’s set up to email you at the email he now has control over. If they ask for the personal question, most likely they’ll ask something that you’ve already posted on MySpace or Facebook and should be rather easy for him to find.

Are you paranoid yet? I hope so. As I mentioned in the beginning, the internet, much like the real world, is a wonderful place to explore. But, just like in the real world, you have to keep common sense about you in order to not get attention placed on you. Furthermore, you should realise that unlike in the real world, there are more perils since we release information to the world that we wouldn’t normally tell a stranger on the street or to your enemy. Regardless of what the enemy’s motive is, whether to gain information or to get us or our families to do something, he has many tools at his disposal from phishing, to using social networks and hidden identities, to even using our own willingness to share information and laziness to secure it.

How do we protect ourselves? There is an old Latin phrase, Nosce te ipsum which means “Know thyself.” In order to assess your security, you have to recognise and understand your flaws and learn how to protect them. The Persian poet, Saadi, wrote “reveal not every secret you have to a friend, for how can you tell but that friend may hereafter become an enemy.” What’s the definition of an enemy and how do you identify who your enemy is? According to the book, Catch-22, that is a very simple answer: “The enemy is anybody who’s going to get you killed, no matter which side he’s on.”

So, my challenge to you is this: Follow the Latin saying. Nosce te ipsum! Know thyself. Who knows? You may discover that your biggest enemy just might be you!

Good_vs_Evil_by_umerr2000

Good vs Evil by umerr2000

This entry was posted in Security and tagged , , , , , . Bookmark the permalink.

Leave a comment