Comments on: Social Networks and Black Magic http://www.neohaxor.org/2009/04/09/social-networks-and-black-magic/ InfoSec / Critical Thinking / Misc Crap Tue, 07 Sep 2010 17:25:08 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Nathan http://www.neohaxor.org/2009/04/09/social-networks-and-black-magic/comment-page-1/#comment-2679 Nathan Sun, 19 Apr 2009 03:22:11 +0000 http://www.neohaxor.org/?p=116#comment-2679 Geek Prophet, This is still an example of people not understanding how social networks are used and how social attacks are pulled off. This is all leads to my point. Friending someone on a social network does not mean the attacker knows anything about them. People share a lot of information on a social network, but it is ridiculous to think that you can communicate effectively enough for an attack. At least not without a significant amount of time being spent. Here is something else to think about, the more time that is spent, the higher likelihood of the attacker getting caught. All the person has to do is mention the other social network identity in conversation. The larger the group of friends, the odds go up significantly, because there are more people in the circle of friends. The premise for the attack is still faulty. The ball game completely changes when money is involved. It's not big secret that people act differently when dealing with money. This happens in the physical world as well. That's one of the reasons why there haven't been any big reports of this being successful. Even when people have gotten their accounts compromised. My example in "This is Nasty" is taking over an already established account. Someone who has created relationships and communicated with people in the past. Not creating an account for someone that hasn't existed on the particular social network before. There is a big difference. Even then, I was just saying it was nasty for the social network user. Not that I think someone would be able to exploit this for money. Having your password compromised is nasty too. Geek Prophet,
This is still an example of people not understanding how social networks are used and how social attacks are pulled off. This is all leads to my point. Friending someone on a social network does not mean the attacker knows anything about them. People share a lot of information on a social network, but it is ridiculous to think that you can communicate effectively enough for an attack. At least not without a significant amount of time being spent. Here is something else to think about, the more time that is spent, the higher likelihood of the attacker getting caught. All the person has to do is mention the other social network identity in conversation. The larger the group of friends, the odds go up significantly, because there are more people in the circle of friends. The premise for the attack is still faulty.

The ball game completely changes when money is involved. It’s not big secret that people act differently when dealing with money. This happens in the physical world as well. That’s one of the reasons why there haven’t been any big reports of this being successful. Even when people have gotten their accounts compromised.

My example in “This is Nasty” is taking over an already established account. Someone who has created relationships and communicated with people in the past. Not creating an account for someone that hasn’t existed on the particular social network before. There is a big difference. Even then, I was just saying it was nasty for the social network user. Not that I think someone would be able to exploit this for money. Having your password compromised is nasty too.

]]> By: Geek Prophet http://www.neohaxor.org/2009/04/09/social-networks-and-black-magic/comment-page-1/#comment-2588 Geek Prophet Thu, 16 Apr 2009 18:59:37 +0000 http://www.neohaxor.org/?p=116#comment-2588 I think you have misunderstood the attack being described. It is an impersonation, not making gullible "friends" on Facebook. You describe the attack as requiring people to trust those they haven't met (it doesn't), and in your paragraph titled "This is Nasty", describe a technical method of doing something very similar to what the article in question describes doing in an non-technical way: impersonate other people. I suggest you reread the original. This isn't about getting people to trust someone they haven't met so much they will send them $500. It is about getting people to believe you are their sister/mother/father/friend/boss, and then getting them to send you $500. I think you have misunderstood the attack being described. It is an impersonation, not making gullible “friends” on Facebook.

You describe the attack as requiring people to trust those they haven’t met (it doesn’t), and in your paragraph titled “This is Nasty”, describe a technical method of doing something very similar to what the article in question describes doing in an non-technical way: impersonate other people.

I suggest you reread the original. This isn’t about getting people to trust someone they haven’t met so much they will send them $500. It is about getting people to believe you are their sister/mother/father/friend/boss, and then getting them to send you $500.

]]>