Slapped in the Facebook: Social Networking Dangers Exposed

WASHINGTON, D.C. -- For many people, social networking has become as much of a daily routine as brewing coffee and brushing teeth. IT administrators dislike it and cyber crooks depend on it.

That's because most of the time people spend on MySpace, Facebook, LinkedIn, Twitter and elsewhere is during work hours -- on work machines.

At the ShmooCon 2009 security conference in the nation's capital this weekend, two security researchers demonstrated the many reasons why this is bad.

In a presentation called "Fail 2.0: Further Musings on Attacking Social Networks," Nathan Hamiel and Shawn Moyer guided attendees through attacks made easy because of the very nature of these sites, where users can upload and exchange pictures, text, music and other content with little effort.

"Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there's a lot of return-on-investment in going after them," Moyer said, describing the climate as a perfect storm of social engineering and bad programming.

Through a variety of easy tricks, attackers can hijack a person's social network account to use as a launching pad for additional attacks against other users, other Web 2.0-based applications, and so on. Social networks can also be incorporated into micro botnets and, by rummaging through a page of misfired direct messages on Twitter, a motivated attacker can unearth the cell phone numbers of prominent people.

Hamiel noted that the trouble begins with so much creative power being put in the hands of those who have little or no tech savvy.

"Any application can be used to attack other applications and an application can be used to view your entire file if the privacy settings are off," he said. "Even if you put the privacy settings in place, you should assume you are screwed."

The demonstrations the duo ran through included:

• Creating imposter profiles on LinkedIn, assuming the identity of someone prominent, and friending as many people as possible. For the sake of experimentation, the researchers created a fake profile for a well-known security leader (with permission) and accumulated 50-plus connections in less than a day, many of them CSOs and other bigwigs.
• Showing how to sabotage the MySpace page of someone you're not directly connected with via the profile of a common connection. This example involved fake Myspace pages for rocker Alice Cooper and actors Eva Longoria and Bob Saget. In this scenario, Cooper and Longoria are connected to Saget but not to each other. Longoria wants to connect with Cooper, who refuses, and she responds my using their common connection to Saget to access and deface Cooper's page.
• Rummaging through a site that accumulates old direct messages originally sent out through Twitter. With enough patience, the bad guy can find and exploit such discoveries as phone numbers, e-mail addresses and other personal information that was originally meant for individuals rather than the general Tweeting public.

Not surprised by any of this is James Arlen, a Toronto-based security consultant who listened in on the presentation.

"At the end of the day, far too many people operate in a zone where they presume trust," Arlen said. "There's an odd level of trust where you look at someone's profile and say 'I know this person,' but there's no real attempt at authentication."