Downside of keeping everything public – ICWATCH

I have been writing and preaching about Social network information harvesting and why it is a bad thing (Check out the post here). I recently stumbled upon something, which is, publicly known though, but still worth mentioning. The mentioned “something” is a very good example of why too much information about one’s self is never a good idea.

I was having some fun with Riddler the other day. For those who do not know what Riddler is, well it is F-Secure’s search engine for web domains and much more. Unlike Shodan where all ports are scanned and then the headers are saved in a database, Riddler can be used to query about specific domains and subdomains and get some very very interesting information. So, as I was saying, that I was having fun with Riddler and I stumbled upon a strange subdomain of (Strange subdomain).

The ICWATCH, contains public database of mainly LinkedIn profiles of people in the United States government employees. Though the website is publicly known. It was quite astonishing to see how much information people have posted on their Linkedin accounts. It makes sense if someone is in sales or normal private sector job, but giving so much information and revealing what the person does, for intelligence community is, well not advised, in my opinion.

Back to the point, open-source intelligence (OSINT) is completely legal and any person/agency can easily gather information about anyone without committing a crime. I usually talk about advertisers, malicious hackers, social engineers etc, who use this to take advantage of the information collected and harm innocent users. People should keep in mind that tracking people across multiple social networking platforms is a trivial job nowadays, for a skilled hacker.

It is very important, not to disclose personal information on the internet. Especially social networks like Linkedin, Facebook, etc. Sharing personal stuff is never a bad thing, but people should be smart about what they share. If you are working for the government, there is no need of writing everything about what you do, on your Linkedin profile.

Peace!

Social Network Information Harvesting (SNIH)

Social Networks ! For those people who do not know about the social network , what it is and what this blog post is all about, well, here is a quick introduction.

Social Network is

People share their personal or business information freely on these websites. Though the privacy policy is pretty customizable and one can exactly show what one wants and hide what one does not want people to see. Despite of all the security and the privacy, information can get leaked. Many of these social networks constantly change their privacy policies and at one point when u upload a picture it is automatically set to your privacy settings and at another time, its public for the world to see, You constantly have to check again and again whether the privacy of the material is public or not. For example: We performed a controlled check through Facebook to prove our theory and what happened was that most of our friends profile pictures were public and when we contacted them, so they were all saying the exact same thing that the last picture they uploaded was private and now this one became public automatically when they uploaded it.

The main point of this discussion is not to find flaws in social networking websites but it is that security gaps are inevitable and all of our information is on these giant networks and for any reason if the information gets leaked, then you are at a loss. Now this is a great thing for Spammers, who harvest email addresses and other personal information.

Social Network Information Harvesting is basically defined as gathering information about people,  available on the these social networks.   Social Network Information Harvesting can be a service for different kinds of people. Law Enforcement, Criminals, Spammers, Hackers, Intelligence.

SNIH can be applied in many scenarios and the repercussions of this can be quite serious, not for the attacker, but the victims.

SNIH Scenario: [The Scenario is based on Facebook]

Usually what SNIH implementer do is that they create a small game or an application for the users to play or access on the Facebook. Most of the applications ask for permissions like email, statuses, friend-list etc. Now if it is a legitimate application then its a blessing but if it is a malicious one then you can say good bye to any privacy set by the user or the Social Network.

Now the information gathered or harvested can be used to find trends for analysis. This analysis is useful to Law Enforcement Agencies. If personal statuses are harvested then one can determine the tendencies in a person. Similarly If people with malicious intent get hold of this information then, the question arises that except for the obvious, Email Spamming, Harvested pictures selling and buying , Personal information Stealing , cell phone numbers harvesting, what else can they do? Well this takes us to our second Scenario ..

SNIH Scenario 2 : [Disclaimer : This Information is for Educational Purposes. We will not be held responsible for any misuse of this information]

In this scenario we will see an attack that can be carried out by hackers against the innocent users. Though due to two factor authentication this attack might not work but most of us do not opt for two factor authentication.

The attack is on some users email address. Usually when we go to “forget your password”, the system asks us a secret question, which we have to answer in order to reset our password. Now if the hacker goes to some targeted users email and does the above mentioned procedure and for example the secret question is : my favorite pets name. Keep in mind that this account was made some years back and the person doesn’t even remember the question he or she kept, let alone the answer. Now comes the part where a little social engineering would help alot. The attacker goes on Facebook and if he or she knows the person who is targeted then its a walk in the park, as most of the users information is shown on his or hers profile page or home page, but in this case he would have to ask him or her for the answer. Now if the person is a stranger, what the attacker has to do is to add the target user and start a conversation with him or her and between the chat, after a day or so, he can casually ask about pets and other stuff and then slowly ask : I just bought a dog, what name should I give it  and most probably in the users mind , in his subconscious, there is an 80% chance that he or she would tell you the same name. Once the attacker gets the hold of the answer, he just has to go to the email providers account and enter the answer and BOOM ! He is in !

Now what exactly happened was that the attacker used the information available on one social network against another network. The example above requires a little bit of social engineering but usually the questions are my aunts name etc and that can easily be extracted from the information provided by the user on his profile.

To conclude, it is safe to say that Social Network Information Harvesting is wrong because it doesn’t matter if the law enforcement agencies use it or any other people with malicious intent use it, the point is that the user doesn’t know that the information is being harvested. This is in itself a crime whether Law Enforcement is using it or any other person is.

[This is a re-post of the original, posted on 20th of March, 2013, on Xc0re blog.]

The Cyber War !

Cyber war , a very big word , but some how doesn’t seem so big. Let me first give an introduction to what a Cyber War really is. The introduction is divided into two parts , General perception & Reality !

General Perception :

Most of the people in security field know what cyber war is , the general perception is the perception of a cyber war amongst non technical and non security folks ! In general when ever Cyber is added to any word or any sentence,  the impact that it causes to the the listener’s mind is that “Wow ! what a cool name ! “. It doesn’t matter how critical the sentence or the word is , most people don’t take it seriously and the thought that runs in their minds is “Yeah right, this is kids stuff ! “For example , Cyber Bullying , although the impact in reality is very high but there weren’t any laws against it until recently. People used to think , what the hell cyber space is a joke. Its for children , having fun and messing around.

Similarly if people hear about Cyber War any where , they just don’t take it seriously. In their minds they are like , “Cyber War , huh ? What is that ? What can a Cyber War do to me or my country !? ” , because according to them the definition of a cyber war is just a bunch of hackers who don’t have any social life , attacking web sites of other countries and defacing their webpages and then boasting about it , online or amongst friends.

Then these people watch movies like “Die Hard 4.0” and start thinking about the whole concept as just pure entertainment. Thus destroying the slightest spec of seriousness of the word in their minds.

Reality :

In reality Cyber War is a kind of war that starts in the Cyber Space , followed by air & ground attacks , which are pretty real. As in the current age , where cloud computing is the next best thing. Where next generation network technology is in its adolescent phase , where every thing is controlled through a micro chip, or to simplify it  , every thing is computerized. Nuclear Facilities , Hospitals , Industries , Military defense , Electricity etc are all controlled virtually ! I give the example of the movie “Die Hard 4.0” again , though I am not infatuated with this movie but the concept of Firesale is pretty accurate and as this blog is a reference for the Security people as well as a source of information for non technical people thus giving an example of a movie is better then explaining the whole science ! To sum it up , as every thing is automated and computerized thus attacking the systems on a virtual level and bringing them down and as the country gets crippled , its just a matter of walking and claiming it for oneself .

Ok!  Enough with the introduction now lets make things interesting .  Lets start with Stuxnet!! Stuxnet is a very sophisticated cyber weapon created by the US & Israel  against Iranian nuclear facilities. According to the current press , it caused serious damage to the nuclear plan of Iran. Then the appearance of Duqu Malware which was the successor of Stuxnet. Duqu is quite different from Stuxnet, it has a modular structure like Stuxnet but it isn’t equipped with modules for SCADA systems attack. It is only able to steal information from the host system.In recent years China has come on the maps , as a threat to cyber defense. Google in 2010  blamed china for conducting very sophisticated attacks against the Google’s servers.Recent Anonymous attacks against US as well as other countries is also worth mentioning. Wikileaks is also an important part of whats happening in the cyber world.

As Cyber War is the new trend , thus it is very hard to distinguish between cyber criminals and cyber warriors or cyber soldiers. Cyber Armies are being created with full government backing in many countries. As now Cyber space is considered to be a zone which has the same level of importance as the other zones of potential attacks for example Land , Sea , Air !

A full scale Cyber War resembles a Cold War , where you don’t see much activity as during a normal war but , has the power to break down USSR all over again !!!!