The Black Hat 2009 Sneak Peek is this Thursday. Black Hat is going to be giving a sneak peek of talks that they feel are interesting from their 2009 lineup. We are glad, once again, they have found one of our talks interesting enough to include in their sneak peek, especially given the lineup. Not sure why they picked our talk, but we will do our best not to let them down 
We will be discussing our talk called Weaponizing the Web: More Attacks on User-Generated Content. If you would like more information or would like to register for the webcast you can do so here
-
Pages
-
Twitter Updates
Categories
-
Archives
-
Blogroll
-
Meta
Not Sponsors, just stuff I like
Hello Everyone. I just thought I would drop a quick note. Shawn Moyer and I are speaking at Black Hat US 2009. Our talk is called Weaponizing the Web: More Attacks on User Generated Content. We are going to be talking about attacking sites with user controlled content. In the modern web environment, that’s a whole lot of sites. This content can be turned around and used against the site, the user, or other sites.
If you are going to be out at Black Hat this year also check out Michael Murphy and Aaron LeMasters’ talk Rapid Enterprise Triaging(RETRI). Mike and Aaron are fellow members of Hexsec. Anyway, that’s all for now.
Social networks are shrouded in mystery. Just their very existence defies the laws of physics. If it were the late 40’s men in strange suits would be trying to dissect them at some top secret facility, but we have come so far since then Even though this sounds ridiculous, this is what many would have you believe about social networks. Why you ask? Because many of the people that talk about attacks and the dangers of social networks don’t even use them. They make all kinds of assumptions about soc nets that are completely false. The funny thing about assumptions when you are theorizing attacks is if your assumptions are faulty then your conclusions are faulty. Let’s cut the crap and focus on the real threats to social networks and their users.
Bruce Schneier just had a post in his blog about Social Networking Identity Theft Scams. In this blog post he refers to an article on ITworld titled Why you can’t trust ‘friends’ on Facebook as clever. This isn’t clever, this is dumb and extremely improbable. This is a perfect example of people talking about social networks that have no idea how they are used. The explanation of the scenario shows a clear lack of understanding of how social network users view and interact with their network.
I will not go in to all the specifics of what they were talking about, but it is based on the premise that you view your social network “friends” as you view your friends and family from the non-web world. Now, it’s possible and even likely that you may meet someone on a social network and actually become friends with them. This may even be part of the appeal for someone participating in a social network. The problem for an attacker is cultivating a true friendship takes time, effort, and resources. Attackers and scammers are all about effort vs reward. They are not going to take 6 months to a year of effort to try and scam someone out of 100 dollars.
Some other faulty logic they used is blurring the lines between the topic they were talking about and the Nigerian scam where they compromised peoples actual accounts. They then sent messages to their friends saying they were stuck in Nigeria and needed money. Still dumb, but this is a compromise of an already established social network presence. A far greater difference than a friend of a friend that you don’t know asking for money. You can see more information about that here. True they both ask for money, but the scenarios are far different.
Now This is Nasty
If you want to talk about dangerous, during the talk Shawn Moyer and I did at Black Hat and Defcon last year and even our ShmooCon talk this year I mention a concept that involved attacking innocuous functions. On certain social networks this would allow you to semi-hijack a person’s social network identity. The concept deals with blocking communication and creating a denial of service condition for all visitors to someone’s social network profile. You could then create a new, duplicate identity with the user’s information and try to re-friend previous friends. In the message you tell them something went wrong with your account and you had to create a new one.
This is far more dangerous than the scenario that the article goes in to. It’s much easier than trying to compromise someone’s account, you are able to disrupt normal communications between friends, and you are able to potentially hijack already established trust. An attacker could then run a scam under this identity giving them a higher percentage of success.
Social Networks and Safety
I am the last one to say that social networks are safe, for example see here and here. I just can’t stand bad information and fear mongering. Yes, fear mongering. “The child molesters are going to get your kids on the social networks”. Yuck! In a comment on his own blog post Bruce said,
“I’ve seen some of my friends on Facebook put their address and phone number on their information page. Anyone they add can see it, and one such person I know has well over 1,000 friends. Not a good combination with videos of his two small children posted.”
Why is that not a good combination. You can’t possibly believe that 0.1% of the Facebook population are child predators?
Now it’s true that some people do put far too much information on their pages. This is due to the fact that it is not clear to them what is really sensitive.
A Note To Parents
Child predators are not trolling social networks (with any significance) trying to molest your kids. Child predators are opportunistic just like other types of attackers. They are not going to see an address on a social network and pay the house a visit. There are just too many variables for the predator to deal with. Parents, guns, neighbors, witnesses, geographic locations, and many other factors make this a prohibitive method for them to use.
Now as far as them using social networks to try and contact your kids there are many factors there as well. Social networks do monitor their network. Some networks are better at it than others, but there is the monitoring factor. Not to mention the person would have to spend quite a bit of time creating a relationship with your kids, which leaves them at risk for being found out by parents. I mean hopefully your kids don’t just go off to meet with strangers. If that is the case then you have much larger problems.
As parents you have control over the internet connection and your kids usage of the Internet. Know who they are talking to and what their activities online are. Remember your being curious not paranoid. You get paranoid over things you have no control over, these are your kids Know who they talk to and who their friends are. After all, a predator is going to try to get them alone and away from parents.
There is always the rare case that is the exception to the rule. Things happen and there are people who are just nuts and don’t think logically. People have been watching too much To Catch A Predator and think that the world is crawling with child molesters. Common sense should be your guide not a television show that is trying to get ratings. Besides in that show they had people posing as teens in an adult chat rooms, not social networks. Which just goes more to the point that I made about these individuals being opportunistic.
If you want more proof about the social network threats to kids being overblown you can read more about it from the New York Times here.
The Thief Scenario
Having your address on your soc net page and then a message saying, “On vacation out of the country” seems like (and really is) a stupid thing to do. Let’s look at it closer from the viewpoint of a thief. There are many variables here as well that still wouldn’t make this feasible. What about alarms, house sitters, family, neighbors, etc. This is on top of the information gathering activities that a thief would have to do prior to targeting someone anyway.
Now what is much more likely that attacker would target someone and augment their activities with information they find on social networks. These sort of targeted, personal information gathering activities can be pretty dangerous, but still not very realistic from a thief’s perspective. Thieves are opportunistic as well. What would change the scale is if you had known assets that someone REALLY wanted. This would warrant the time put in to the information gathering activities. Even in these scenarios the information from social networks only helps, the person would most likely be targeted anyway. There are rare exceptions, but just trying to put this in to perspective.
Social Landscape
There are aspects that make social network ripe targets for attack. They are a large collecting point for users. They are made up of mostly user generated content, many allow extensions and 3rd party applications. Any large collecting point of users is going to be looked at by an attacker. These are just the facts, but when discussing dangers and threats we need to look at them in terms of real risk. When we raise the danger flag for things that aren’t necessarily a risk we may draw attention away from things that really are a danger.
I particularly enjoy the individuals who say that they would never join a social network or communicate with people who do. As if people that use social networks somehow don’t know something that they do. I turn that around, why not use social networks? Are you socially inept and not able to communicate with your fellow man? Do you even know what social networks are used for? Of course, using social networks is a personal preference. It doesn’t have any bearing on the user’s awareness or intelligence level. However there are millions of the ugliest MySpace pages in history just waiting for you to view them
Now there are some social impacts when professionals use social networks that I may cover in another post, because these have impacts as well.
In Closing
The low level of probability of these attacks is no excuse to be careless with your information. I just wanted to put some things in perspective and curb potential fear mongering. When you participate in a social network you are responsible for the information you post about yourself.
I think ultimately if you read articles or hear people theorizing about attacks on social networks and they don’t have a social network presence, be skeptical. This is especially true when they are discussing social attacks. While it’s true that social networks are just web applications sometimes the vulnerabilities come from how users interact with them. This often requires participation for understanding.
Lastly, I want to make it clear once again, I am not vouching for the safety of social networks by any means. There are many dangers on social networks. I just want to make sure that we focus on the true dangers of social networks so we can raise awareness for those issues.
The past few days there has been a bit of a stink about some bogus LinkedIn profiles. There have been plenty of news sources reporting that LinkedIn profiles are serving malware or making it seem like profiles are infected somehow. A few examples of that can be found here and here and here. At least The Register called these people falling for this fools. What the titles of these reports imply are dead wrong. LinkedIn profiles are not actively attacking users.
The issue is very simple, it is a hyperlink to another site that infects idiots with Malware. A hyperlink to another site, not getting attacked from viewing a profile. When you allow users to link to off-site content, you lose control of the request, however, this isn’t like allowing users to pull content in from other sites to display on their profiles. This typically has very little impact. This is no different than any other site, message board, or social network.
Give me a break, like Beyoncé Knowles has a LinkedIn page and is going to have a hyperlink on there to a place to view her nude pictures. That’s the issue these sites are referring to, dumb isn’t it? How does that get turned in to words like serving, harboring, or redirecting? These words imply some sort of active action on LinkedIn’s part, which doesn’t describe the situation here AT ALL. If you ran a message board and someone had a hyperlink to Goatse, does that mean you are serving, harboring, or redirecting to Goatse? Of course it doesn’t. This would just be an indication of your user base. I wonder how many people were brave enough to click the Goatse link above It’s not Goatse, promise.
Is there really no end of the Internet news stories this week to scare people with so people decided we should be scared of LinkedIn? This is basically spreading FUD. I personally don’t see why LinkedIn should take any heat from this. The feature of LinkedIn that allows you to link to your Company, personal site, or some other site should remain a part of LinkedIn’s features. I really hope they don’t go with something like MySpace did with the msplinks stuff. This would basically put a big obnoxious splash page up that states you are about to visit content off of the site. Yeah, well no crap I just clicked on the link so of course I want to visit the page. I personally don’t think that is a very effective control for these types of attacks anyway. The only time that control is effective is if it isn’t clear to the user that they are visiting content off the particular site they are on. I have seen in the past MySpace profiles that were compromised and the whole profile links to a bogus MySpace login page. In that case the user seeing the warning would be alerted that something is wrong, however, you are still going to have a large amount of people just cough up their credentials anyway. Sometimes all the controls in the world just can’t fix stupid. The same people that would fall for this are the same ones that click on spam emails claiming the same thing. It’s a mentality not a technical security issue.
Let me state this, if you are not a complete idiot then this issue will not affect you in the least bit. These profiles are not performing any active attacks on users of LinkedIn. There are much more scary things out there than this, trust me. Don’t fear using LinkedIn because of issues like this. LinkedIn really has a very limited feature set which lowers their attack surface. They have much less functionality that other social network such as MySpace, Facebook, Hi5, etc. Would you really care to see Beyoncé Knowles’ LinkedIn profile anyway? I bet she is boring and fake. Her LinkedIn profile would state, “I have never had to work for anything in my life and everything has been handed to me because dummies think I have talent. I love screwing over my friends and taking money out of their pockets”. She should apologize to the world for creating that DirecTV Upgrade song. Yuck! Wait a minute, she doesn’t write her own music… Anywhoo….
I can’t believe I had to write this blog post, but the sheer number of people talking about this and linking to these stories was too much. Just practice smart Internet browsing habits mixed with common sense and you will be fine. As always, I recommend using the Firefox web browser with the extensions NoScript and Adblock Plus. Have a good week, the end of the Internet is next week
Hello Everyone. I just wanted everyone to know that I will be speaking at ShmooCon 2009 with Shawn Moyer. Our Topic is Fail 2.0: Further Musings of Attacking Social Networks. This will be an update to our Black Hat / Defcon 16 presentation. Update as in, we will have some new material and updates to what we have previously talked about. We won’t be consistently beating an already dead horse. We felt that the topic still contains quite a bit of relevance. As companies continue to shift their focus toward social networks and social networking platforms in general, they are encountering the same security problems. Even though social networks are web applications, they do offer some unique challenges over other common web applications. We will be explorisploiting these differences 
As you probably know, Cross-Site Request Forgery (CSRF) can be a devastating vulnerability. Much of the focus has been on how this can affect your online accounts. CSRF can be used to exploit the trust of an authenticated connection you have to a web application. As an example, Shawn Moyer and I demonstrated several of these on Social Networks for our Black Hat 2008 / Defcon 16 talk. Slides from our talk can be downloaded here. I mean, the vulnerability itself was originally reported in 1988 so it is an old issue. Many people don’t realize that you can use CSRF to attack local network devices even services on the Localhost. For more information on localhost web services and CSRF check out an Rob Carter’s example for uTorrent here. Any network device on your local network that runs a web server can be vulnerable to the same attack as the Motorola / Netopia device I am about to discuss.
Recently, while getting ready for a web cast I am doing called: Cross-Site Request Forgery and Beyond, I was messing around with a Motorola / Netopia 2210 DSL modem. AT&T started issuing these modems in 2007. While looking at this device I noticed it was particularly vulnerable to a devastating attack. This demonstrates a perfect example of attacking local network devices though CSRF. This vulnerability isn’t just isolated to the Motorola / Netopia DSL modems, but most of them out there. By default most DSL modems, don’t require authentication to access the configuration menu. This is because of a mistaken assumption that only trusted devices would be on the local network. This is a mistake, because the user and their browser are on the local network, and they can’t always be trusted. People access so much content on the web, they never seem to know where their browser is sending requests.
Motorola / Netopia 2210 DSL modem Vulnerability
The reason this makes a perfect example is because it exploits an assumed trust relationship, allows request transformations, and complete ownage. When a user on the local network browses to the following URL they are greeted with the DSL configuration homepage. This is with no authentication by default. http://192.168.1.254
If you notice on the right hand side there is a menu option that says Remote Access. When you click on this option it takes you to the following screen.
As you can see remote admin is disabled by default. There is, however, a default username, empty password, and a couple of other options including Enable Permanent Remote Management. When you click the enable button a POST is sent to the device. This POST looks like this:
POST /Forms/remoteRES_1 HTTP/1.0 Host: 192.168.1.254 NSS_RemotePassword=blehblah&NSS_EnableWANAdminAccessRES=on&timeoutDisable=0&Enable=Enable
This POST will enable remote admin on the DSL modem, set the password to blehblah, and enable permanent remote access. Now, this is bad because this is done with no authentication. So if someone were to stage an auto-submitting JavaScript form, they would be able to submit values for this and enable their own password. So, let’s make matters a little worse. It appears that the DSL modem allows you to transform requests and still accept values. So, you can transform the previous POST request to a GET and get the same results. This means just getting the user to send a request to the following URL causes a compromise:
http://192.168.1.254/Forms/remoteRES_1?NSS_RemotePassword=blehblah&NSS_EnableWANAdminAccessRES=on&timeoutDisable=0&Enable=Enable
As you can see this is bad. Just getting a user to forge a request to that URL gets them to enable remote admin and set a password of an attacker’s choice. Ouch! This can be done a few different ways, but the most simple is an HTML img tag that is 1 x 1 px. So, the little red X doesn’t show when no image is retrieved.
<img src="http://192.168.1.254/Forms/remoteRES_1?NSS_RemotePassword=blehblah&NSS_EnableWANAdminAccessRES=on&timeoutDisable=0&Enable=Enable" alt="" width="1" height="1" />
If anyone with this DSL modem visits a page with this image tag on it, they will have remote admin set and a password of an attacker’s choice set. An attacker doesn’t have to just do this. They can pretty much control other options from the DSL modem as well through other submissions to the DSL modem. I mean, this stuff is incredibly simple and nothing complicated is required to exploit these types of issues.
Vulnerability Impacts
Remember that attacker has remote admin on your routing device. So, even if you have a network inside with private IP addresses, the attacker has access to your logs. It is trivial at that point to identify internal IP addresses and configure pass-through to these machines so they can attack them directly. Basically the machines on your local network can be compromised.
The attacker already has pieces of static information, that is the username: admin and the port number: 2420. A simple sweep for that port number could reveal results from compromise. Also, the attacker can have two img tags on a page, one that sets the remote admin and the other that just allows them to log the IP address of people visiting the content. This would help narrow down potential victims.
People have the ability to place their own content in many different popular locations. One of the biggest is of course Social Networks. For example, this vulnerability means that your DSL modem could be compromised just by visiting MySpace. That’s pretty scary. Just one more instance of how a social network can be turned in to an attack platform. I think I heard some people were talking about that not to long ago
This attack only took one request, just one HTTP GET. This attack could have been made a bit more difficult by not allowing requests to be sent in the form of an HTTP GET request. Not quite sure why this is, but it is a good bet that Motorola is not aware their little web server allows this. That is just a guess of course.
Mitigation
Um, just like you learned (or didn’t learn) with your Linksys wireless devices, change your defaults. CSRF vulnerabilities are exploited based off static, known data. Setting a password on your DSL modem and changing the default IP address of the device is a good start. While your at it why don’t you choose a strong password. I wouldn’t set remote admin in your DSL modem ever. Did you see what happened when you enabled remote admin? No cryptographic protections for your credentials, over the web, to your routing device. If you want to get fancy, configure yourself a Linux firewall and just let your DSL do IP passthrough to that device and do your configurations on that.
Don’t keep learning these lessons. Anything on your local network or localhost that has default settings, passwords, predictable locations, etc change them. This way, when future vulnerabilities arise, you will be better protected.
I really hate AT&T sometimes. Not having the iPhone do MMS messages is about the dumbest thing they could have done. Not that MMS messages are something I do everyday, but on occasion it happens. AT&T has this stupid website that you have to go to retrieve your MMS messages called www.viewmymessage.com/1. Then you have to type in some random username and password all to get some picture you probably didn’t want in the first place. Not to mention you can’t copy and paste crap either, way to go Apple. Copy and Paste, who does that? Now I realize that this is old news to everyone, I just needed to vent for a second. I thought I would share an error that I got when trying to receive a picture from the wonderful www.viewmymessage.com.
The url location is:
http://www.viewmymessage.com/en/webnonsubscriber/viewmessage.do
The content of the page displays:
Invalid path /1en/en1/en/1en/en/1en/en/1/en/1en/en/1en/en/1en/en/1en/en/1/en/1en/en/1en/en/1en/en/1en/en/1n/en/1en/en/1en/en/1en/en/1en/en/1en/en/1en/en/1en/en/2en/en/2en/en/webnonsubscriber/actualviewmessage was requested
Nice directory structure, is that some attempt at obfuscation? This site sucks so bad, who knows what the intent of having a structure like this is. This is the first error I have seen from this page. I have had it just not work, but never give back any errors. I know other people have had errors on this site, so I am adding to the stack. For people who may stumble across this post, it isn’t an Apple issue, well maybe indirectly due to the fact the iPhone doesn’t support MMS. This is an AT&T site, so the error belongs to them. Anyway, just wanted to share something stupid for the day.
Business social network LinkedIn announced their LinkedIn Applications today. The applications directory can be viewed here There are only several applications to chose from at the moment. I am sure that number will grow soon. LinkedIn uses Google’s OpenSocial just like other social networks such as MySpace, Orkut, hi5, etc. I only spent like 5 minutes looking at a couple of things. So, the following are only my quick thoughts and impressions.
The applications are delivered though the domain lmodules.com. This makes them easy to identify and block if that’s what you would like to do.
At first glance it appears that the vetting process for LinkedIn is higher than some of the other social networks. They appear to only want known businesses to create applications for their network at this time. This would help root out some possible malicious users. A vetting process is a good first step in thwarting that type of malicious behavior. I didn’t look at the difficulty in attaining a developer account, but I am assuming it is much more difficult than other social networks like MySpace, Facebok, etc. Now, whether this vetting process will stay this stringent will remain to be seen. These procedures may be relaxed in the future due to demand.
Just because the name has changed doesn’t mean the threats have changed. As a matter of fact there may actually be more on the table. Business networks such as LinkedIn are more likely to contain real information about people vs other non-professional social networks. Not that people don’t share enough about their real self on other social networks. This means the same threats exist for the capture of information as on other social networks.
There are still technical threats from social network applications on LinkedIn as well. These are the very same issues as other social networks that we have discussed in the past and demonstrated. Malware distribution, social engineering, attacking clients, information harvesting, click fraud are just some of these threats from social network applications. Moral of the story is be careful. Don’t install apps you don’t need, even though you may do so on your iPhone
So all in all the threats are the same with LinkedIn as any other social networks that employ applications. However, with a more stringent vetting process this should reduce the possibilities for malicious by making accounts harder to get.
For those of you that care, there is a caricature of me on the cover of the November issue of CPU Magazine. In the back of the magazine there is some Q&A with me mostly about social networks. It’s probably stuff you have heard Shawn and I say before, but cool nonetheless. So if you are in your favorite book store check out the magazine and see what you think.
Password Reset: Your passport to a fuxored account.
Password Reset Methods Vulnerable? Really? Get out of here, you mean that many password reset methods are vulnerable to attack? You have to be kidding. The fact that people think vulnerable password reset is newsworthy have got to be crazy. This is something that many of us have been talking about for years. Now Sarah Palin’s email gets attacked and it is big deal. It amazes me why we always wait to get screwed by something before we fix it.
Why does everything in the security world have to be a response to something. Ok, not the security world but the business security world. They are definitely two different entities. I am truly tired of reactive security. Just think if other professions followed this reactive model, like a cop asking for a bullet proof vest after they have already been shot. Nobody can say they didn’t see this coming either. People make more of their life known through social networks, photo sharing, and blogs than ever before. The simple password reset questions just don’t hold up.
There is a lot of unnecessary fear about data from social networks being used to steal someone’s identity. Although this is mostly FUD, social networks can be a great source for password recovery data. A while back we recovered a password (with his permission of course) from my friend Brian’s Sprint account using data from his MySpace page. This is when we were first starting our research for the social network hacking project.
Let’s take a step back from social networks for a sec, would your friends, co-workers, significant other, etc. be able to recover your password with the information they know about you? If the answer to that question is yes, then you need to change something. Passwords should be something that you know, not you and a couple of other people.
What Types of Data are on Social Networks?
The information that people put on their social network pages range from minimal to wildly over the top. Some people even go above and beyond by posting survey questions that tell a lot about their personalities. Although they want to show off the depth of their personality, all it really does is show off the shallowness of their brain.
Social networks by their default nature basically allow you to “friend” the world. The information on people’s social network page typically contains information that was previously only known to traditional friends and acquaintances. This can be a huge problem for the password reset mechanism, not to mention a person’s privacy. If it’s deep and kinda scary from a privacy standpoint then it is probably on a social network. Remember when I mentioned if your friends knew enough about you to reset your password then you are in trouble, well you just friended the world with the information from your social network profile. Beyond standard profile information there are a users actions taken on a social network site and possibly social network applications that are being used as well. All of this information can be leveraged when attacking a password reset mechanisms.
You can use an email address to look up people’s accounts on social networking sites. On the flip side, someone social network profile might directly tell you a person’s email address or you can use the search features of the social network to query owner’s of certain email addresses. There are no secrets in social networking
Email Accounts are Gold
With password resets an email account is really the jackpot. Many password reset mechanisms, including the ones from social networks, rely on sending either the password or a temporary password to the email address of the account owner. Someone who gets their email account compromised might just find that they have every other account tied to that email account compromised as well. I mean, it wouldn’t be a far stretch to figure that out once someone had access to the email account. Just think of all the crap that sites like Amazon, eBay, MySpace, Facebook, etc. send to your email account.
Typical Password Questions
Typical password recovery questions really vary in complexity from site to site. What is the problem with password recovery questions in general? Well, they are not typically made up of data that is private. Unlike a password which is supposed to be something that only you know, recovery questions may be known to many people around you.
Here are some questions from Yahoo:
- Where did you meet your spouse?
- What was the name of your first school?
- Who was your childhood hero?
- What is your favorite pastime?
- What is your favorite sports team?
- What is your father’s middle name?
- What was your hight school mascot?
- What make was your first car or bike?
- What is your pets name?
Some of these questions look like questions that social networks ask when you are filling out a profile, don’t they? If not questions they ask, certainly data that people put on their social network profiles or divulge through other means on a social network.
The Obvious
Take a glance at someone’s profile or maybe your profile on a social network. From just this page without further probing there may be an enormous amount of information. Depending on the mechanism that is being attacked, it may be all that is needed. Here is an example of some of the things that may be found just on the profile page:
- Name
- Date of Birth
- Hometown
- Current town
- Favorite movies, artists, music, people, TV, sports teams, etc
- High School
- College
- Personal description
- Personality traits
- Networks and Groups
- Relationship information
- Family information
- Employer
The list really goes on and on. Remember that many people are on multiple social networks. Checking out other social networks may fill in the blanks. It is easy to see why this information could be a problem and I don’t think it needs any further explanation.
The Not So Obvious
Some data is not so obvious and might not be directly spelled out. This may be information that has to be aggregated or inferred from the profile data, friends list, blog, group, network, etc.
- Photos and photo tags
- Comments on other profiles
- Photo data (cloths, background, other individuals, etc)
- Pets
- Children
- Siblings
- Relatives (potentially ones with your mother’s maiden name?)
- Potential usernames
- Instant messenger data
- Blogs and comments in friends’ blogs
- Favorite teachers
- Sexual preference
- Religious views
- Political views
The data is really limitless, but after all isn’t that what a nice web 2.0 application is supposed to provide? On the surface some of this data may seem silly for password resets but it is really not. This not so obvious information can be really helpful when when non-standard questions are used in the password reset process. This typically happens when people are left to their own devices when creating security questions. They typically create questions that are common and familiar to them. Stupid things like pet’s names, favorite teams, favorite TV shows, etc.
Just think for a moment about tagging. People may tag photos themselves with useful information. Also, friends may tag people in photos helping better define a person’s relationships with people and activities they are involved in. The URL of the social network may lead you to potential usernames / IM information such as www.myspace.com/(username). Maybe the data is completely visual like photo data. A lot of information can be obtained by looking at pictures. Favorite places, sports teams, cars, and countless other possibilities. You name it, people like pictures with their favorite things.
The actions people take on social networks helps better define relationships, networks, group affiliations, and activities. The person may place comments on other people’s photos, profiles, walls, blogs, etc. You may see comments like “That is why you are my BFF”. You may also see that someone is a member of a political party or religious group. People may discuss on boards or blogs about certain things happening in their life. Sharing is caring right?
So what you get in the end is a clear picture of who these people are. You get their likes, dislikes, friends, and affiliations are all in a nice clean package. You may have never even met this person but you have all of the information a traditional friend may have, possibly more.
Need a bit more?
If you almost have the nail in the coffin then you can turn to other sites to complete the task. You could look for name / username collisions on other sites to gain more data. You could take their high school and age information and find out who they went to school with. The possibilities are endless.
The User’s Choice
When people are given the option to choose their own security it has historically been bad. There is nothing that seems to suggest that allowing user’s to choose their security will get any better, so some of this may be wasted breath.
When looking at sites like Google, it seems they have slightly better security questions. Questions such as your library card number, frequent flyer number, etc. I think sites like these with better security questions probably have a high amount of people that end up just choosing their own questions when this option is available. People don’t seem to understand that this isn’t a function that you are going to use everyday. It is ok and preferable to use data that you may not be able to recall without looking up.
So What Can We Do?
The problem of personal data leakage isn’t going to stop until people realize the potential impacts of their data being strung out for the whole world to see. I personally don’t think this will change, in fact, I think with time it will get a lot worse. We live in this voyeuristic, virtual world where people create digital representations of how they see themselves. I think that has an appeal to many people, especially those who don’t particularly find their lives that exciting.
Don’t play by the rules when dealing with a sites password reset questions. Put blatantly wrong, hard to guess, or nonsensical information in to the answer blocks. This will make any information gathered on you useless when attempting to recover your password.
It seems that many sites want you to log in. You shouldn’t use the same password on every site. Use a trusted password safe such as KeePass to store your login credentials. KeePass is open source and multi-platform. Using a mechanism like this allows you to be in control of your password recovery along with allowing you to use different passwords for different sites. It would also be a good idea to back up the database of whatever password safe you choose to use as well. Just a thought
The biggest mistake someone can make is thinking that there is nobody out there that gives enough of a crap about them to attack their accounts. People do weird things. Anybody is capable of just about anything. This isn’t being paranoid, it’s being safe. Think of it as locking the door on your house when you leave, only instead of your valuables you are protecting your data.