Comments on: Social Networks Evil Twin Attacks

By: Web 2.0 and Social Media Threats for Government | The Guerilla CISO

Web 2.0 and Social Media Threats for Government | The Guerilla CISO — Thu, 01 Oct 2009 03:22:25 +0000

[...] Evil Twin Attack on GNUCITIZEN [...]

By: I judge you: A social networks commentary | Bad Penny

I judge you: A social networks commentary | Bad Penny — Sat, 29 Aug 2009 23:23:55 +0000

[...] Moyer and Nathan Hamiel’s presentation demonstrating Evil Twin attacks on social networks at Blackhat/Defcon last [...]

By: Le migliori tecniche di Web Hacking del 2008 | lonerunners.net

Le migliori tecniche di Web Hacking del 2008 | lonerunners.net — Sun, 15 Mar 2009 17:21:51 +0000

[...] Social Networks Evil Twin Attacks [...]

By: The hackable invisible structures

The hackable invisible structures — Tue, 07 Oct 2008 09:00:42 +0000

[...] This morning i was also dwelving in R-Echos archives and came across this post (original post is here): Social Networks Evil Twin Attacks which depicts an attack made on an individual using the social [...]

By: toppleganger

toppleganger — Sun, 04 May 2008 16:27:43 +0000

Well what is the craic my people, I am nuts and i thought i would have a look to see if i could pick my victim out. i love it and in the next veiw days you will see your twins

By: Social Networks, Evil Twins and Puppet Masters | GNUCITIZEN

Social Networks, Evil Twins and Puppet Masters | GNUCITIZEN — Sat, 22 Mar 2008 10:33:39 +0000

[...] couple of posts back I had a discussion on the type of attacks I would like to refer to as Evil Twin. Just like in WiFi security, Evil Twin [...]

By: pdp

pdp — Wed, 20 Feb 2008 14:57:59 +0000

Jim, can we move this discussion to a private channel or maybe even a separate post? It is kind of unrelated to the content and a lot of people will get confused. I do agree on some of your points but maybe I should rephrase my statement a bit to be more accurate. Thanks for the comments.

By: Jim Manico

Jim Manico — Wed, 20 Feb 2008 14:53:19 +0000

JSON is not specific to AJAX (specifically, asynchronous communication with a web server). It’s a very old-school (decade or more) way of representing data in JavaScript. And still, you need to secure your JSON service endpoints the same way you would secure those 1.0 endpoints. Web 1.0 security. CSRF is also very old school, it was called “Session riding” in the past and has been around since the dawn of the dynamic web.

By: pdp

pdp — Wed, 20 Feb 2008 14:47:18 +0000

jerry, I agree.

Jim, it does. :) For example, due to AJAX CSRFing JSON calls practically exploded as a preferred attack vector for exploiting AJAX application. Some people know this as JavaScript hijacking but I don’t like that name.

By: Jim Manico

Jim Manico — Wed, 20 Feb 2008 14:44:24 +0000

Ajax does not introduce security problems any more than Web 1.0 introduces security problems. That is, unless of course, you are pushing business logic to the client – which is a no no independent of Ajax. Ajax just introduces more endpoints. The same security web 1.0 implications apply, nothing new.

By: jerry shenk

jerry shenk — Wed, 20 Feb 2008 14:35:18 +0000

I’ve been a little slow to get into the “social networks” phenomenon. Privacy has been my main concern but as has been stated…there is SO MUCH information about me out there already, what’s the big deal…so I gave in about 2 weeks ago.

Listening to the discussion between Jim and pdp, perhaps there is more danger in NOT getting involved. If I am not involved, then an attacker has plenty of time to impersonate me, build trust relationships and “do bad things”.

By: pdp

pdp — Wed, 20 Feb 2008 13:59:13 +0000

The simple fact that social networks make you more connected with your peers and the fact that people use social networks to do business is a significant change which raises some interesting questions, like the one in the article above. As for AJAX, AJAX does introduce some security problems!

By: Jim Manico

Jim Manico — Wed, 20 Feb 2008 13:54:32 +0000

This has nothing to do with social networks – it has to do with the open nature of web and personal information. What is to stop me from posting information about you on a blog? Or setting up an email address that looks like your name? This is similar to the argument “Ajax makes you more insecure” – it’s the same web 1.0 transparency of information problem – only faster with Social networks.

By: James

James — Wed, 20 Feb 2008 12:23:26 +0000

There is some work being done in this arena at Carnegie Mellon University’s Heinz School of Management. In particular, see Becker’s paper on identity theft via social network profile theft, and Acquisti’s papers on identifying social security numbers from Facebook profiles.

By: pdp

pdp — Wed, 20 Feb 2008 07:41:36 +0000

Benjamin, exactly. If the attack creates twin profile on a social network where their victim hasn’t been registered already, it will be trivially easy to fool the victim’s friends on other social networks.

EC, let me have a look at that paper… 10x for sharing.

By: Benjamin Juang

Benjamin Juang — Wed, 20 Feb 2008 07:37:46 +0000

Lurker here – I’ve actually experienced a shadow of this lately. I’m one of the administrators and developers of a facebook application, and someone took my profile picture and changed their facebook name to match mine, and started posting in the application forums. Thankfully, facebook has things set up so that posts by application developers show up in light-green… so no one could have been fooled, unless they weren’t aware of the normal light-green system.

But it would have been easy for him to go through my friend list, messaging them…

Also, what about creating the profile of your victim on a social network before they establish their connections there? Then building off a list of the victim’s friends found on one social network, they could connect to the victim’s friends on the other social network.

(Badly worded, sorry – it’s getting late)

By: EC

EC — Tue, 19 Feb 2008 22:44:42 +0000

Great article pdp. Take a look to this paper related to your thinking about social networks.
http://www.enisa.europa.eu/doc.....tworks.pdf

Regards.
EC

By: roko

roko — Tue, 19 Feb 2008 18:42:08 +0000

Some weeks ago I was thinking in this “social network” fanatic movement and how people trust (blindy) in the information showed in this kind of website… and I was wondering, what would happen if someone hacks a social network like facebook, linkedin, etc and take control on some (or all) these online profiles. Good article.

By: agent0x0

agent0x0 — Tue, 19 Feb 2008 14:37:21 +0000

Good post guys. I agree with pdp that blogging, and social networking use in general will make you vulnerable to impersonation. I believe it depends on how much personal information you give out on these types of networks. In my LinkedIn profile I don’t make my profile public, and only allow connections from people I know directly. For me, I feel the career benefit of LinkedIn is worth a bit of risk with my personal information. I have a blog as well but I keep it as anonymous as I can…I guess I am a bit security paranoid and don’t like my real name even on my blog. However, I have talked to other bloggers and they will say that to them it’s worth the risk to have their real name on their blog. It’s all comes down to your own “personal risk assessment”. :)

By: Jim Manico

Jim Manico — Tue, 19 Feb 2008 13:53:51 +0000

On 1) Fair enough
on 2) Still disagree; once someone has hijacked your identity, you can contact the owners of LinkedIn to prove your identity and get the offending account removed. You do not need do give them all your biometrics, passport etc. I’m sure a simple license will do. And if you are in a position where you are overly concerned about identity theft – you should get identity theft insurance and monitoring.
On 3) Sure, impersonate me, and while you are it please help debug and/or work on some of my code. I also have a few project proposals you can help me work on…. ;-)