Social Networks hacking – maybe not the most technical skill you can learn from the street but definitely the one that will prove to be extremely useful today and in the future.

Master of the puppets / Maestro de marionetas

I’ve started my quest on social networks hacking back in the days when they first came out and I sort of knew that they are extremely bad idea from a security stand point. Up-to-date I am still hesitant to open or even be part of a social network unless it is unobtrusive and useful and never too personal. LinkedIn used to be that kind of network as it was organized around professionals but today it proves to be more harmful then useful as you will see further in this post.

A couple of posts back I had a discussion on the type of attacks I would like to refer to as Evil Twin. Just like in WiFi security, Evil Twin attacks are all about impersonating someone or something. The reason why this scenario was mentioned was because we did had a go once with this type of attack. Then we found out that Paul and Larry also tried Evil Twin attacks against Twitchy and they all proved to be more then successful as we’ve promised in our blog post.

But is that all? Just Evil Twin attacks? Well NO! Definitely not! We are just at the beginning of a whole brave new world. For example, when I approach social networks I try to look at them from Information Architecture point of view. I try to see the hidden connections between things and people and make my own conclusions depending on the my goals. And the tools are quite different and I will definitely recommend a few and even release some of my own which were built to server different purposes.

One important point that I would like to make regarding social networks, which is also one of the things I believe will become a new phenomenon in the information security scene, is that I am more then certain that they will be the place where new types of information overlords or puppet masters even, will be born. Looking back in time, every information security expert, hacker and information junkie that has been long enough in this scene can easily see a few very basic patterns: spam works, so that drive-by-download, people are the weakest link not computers, and simple things work best.

The puppet masters will be the people with far too many identities for the average human to keep up with. The kind of people who have their fingers in every organization and have the invisible influence to guide the masses. Keep in mind that social networks are designed to aggregate people. But people who know how to make the most use of the technology will be overpowered. This is definitely something to keep an eye on as soon or later you will realize or hear in the news that someone has performed an important business operation based on data or connections pulled from social networks. This is the new type of spam, or botnet, or drive-by-download attack which unless security software is built around an AI, it will never be able to prevent from or even detect.

So what’s the problem with LinkedIn? Well, they’ve released a shiny new feature called LinkedIn Company Profile. This feature aggregates people into logical groups. If I go now and register a new profile for John Johnson and I specify that I work for BMW, then it is certain that I will appear in the BMW’s company page. That is what I call exploiting trust. What if I say that I am the CEO of BMW? There is not a single feature in LinkedIn that will prevent me from doing so. I hardly doubt that there ever will be good enough mechanism to prevent malicious identity attacks.

On the top of that, gathering data about companies and individuals is easier then ever. You don’t need access to some secret FBI, bla, bla database. Why do you want that when people offer all the information that you need for free on Facebook? Does the USA government have their fingers in this specific social network as this video suggests? I don’t know, but it seems like a very clever idea if you think about it. No matter how many people the government employs to keep track of individuals, it will never be enough in order to keep an up-to-data databese. Instead, switch the roles of the game. Provide facilities for people to aggregate this information themselves. However, not only the government (supposedly) have access to your information but also attackers, who can abuse it in anyway they like.

Hacking into social network profiles have a devastating effect on the victim and there are far too many bugs in these networks to enable that. And to wrap up this post, here is a footage from the movie Hackers. The important bit is right at the end of this 9 minutes video clip. I summarized it for you bellow:

PLAGUE Lauren Murphy is now a wanted felon in the state of Washington. Forgery, Embezzlement, two drug convictions, plus she jumped parole. When she’s arrested, she will not have a trial, she will not pass go, she will go directly to jail. Then I change this file back to the original, and your mom disappears.

DADE That’s bullshit.

PLAGUE What can I tell you. Computers never lie, kid. Your mom will be arrested at work, she’ll be handcuffed, and later, strip searched.