fuNctioN cReeP

Monday, March 12, 2012

(cnn)
If you use LinkedIn, you've probably told the site where you work, what you do and who you work with. That's a gold mine for hackers, who are increasingly savvy in using that kind of public -- but personal -- information for pinpoint attacks.

It's called "spear phishing," and it paid off last year in two especially high-profile security breaches: a Gmail attack that ensnared several top U.S. government officials and a separate attack on RSA, whose SecurID authentication tokens are used by millions.

In both cases, the attackers successfully tricked their targets into opening e-mail attachments that appeared to come from trusted sources or colleagues.

Investigators haven't disclosed how the attackers gathered information on their victims, but at RSA's security conference last month, the risks of social networking sites -- and LinkedIn in particular -- were a hot topic. Dozens of presenters said the business networking site could be a potent weapon in the hacker toolkit.

"Businesspeople are using LinkedIn for research purposes, and headhunters and marketers use it to recruit. Why wouldn't Chinese intelligence agents use it as well to spear phish?" said security analyst Ira Winkler, the author of "Spies Among Us."

Most of the discussion about LinkedIn's risks was theoretical -- investigators say it's almost impossible to trace back the original source of personal data used in successful "social engineering" attacks.

But in one arresting case study, self-described "hacker for hire" Ryan O'Horo demonstrated how he used LinkedIn to get inside a client's corporate network.

O'Horo is a managing security consultant for IOActive, a services firm that offers vulnerability testing. His customer, a "high-profile company with tens of thousands of employees," had top-notch technical protections.

"We needed to go to the next level," O'Horo said of his efforts to crack its network.

O'Horo created a fake account on LinkedIn, posing as a company employee. He stocked the profile with realistic details -- a plausible job history and skill set -- plus a few credibility-establishing flourishes like a membership in a local hockey league. From his dummy account, O'Horo sent out 300 connection requests to current company employees. Sixty-six were accepted.

Next, O'Horo requested access to a private LinkedIn discussion forum the company's employees had created. The group's moderators granted his request without ever checking a company directory to confirm his identity.

"Now I had an audience of 1,000 company employees," O'Horo said. "I posted a link to the group wall that purported to be a beta test sign-up page for a new project. In two days, I got 87 hits -- 40% from inside the corporate network."

O'Horo got caught just three days into his LinkedIn attack: An astute employee figured out he didn't belong and blew the whistle. But he'd already made his point...
(more)

Written at 10:37 PM by rene - PermaLink

0 comments

0 Comments:

Post a Comment

<< Home

To get the oil price, please enable Javascript. To get the BRENT <a href="http://www.oil-price.net/dashboard.php?lang=en#brent_crude_price_tiny">oil price</a>, please enable Javascript.

Home
RSS

cryptogon.com
InfoWars
PrisonPlanet TV
The SCP
RFID Update
EFF
EPIC

TERMINOLOGY

fuNctioN cReeP: is what occurs when an item, process, or procedure designed for a specific purpose ends up serving another purpose for which it was never planned to perform.

Big Brother: an entity that is able to watch over all our actions in a unknown restrictive, controlling way with covert technology or other clandestine activities. It is commonly used to refer to a fear of the day when we will have zero privacy, due to government surveillance and personal accurate knowledge. The term was born from George Orwell's book "1984" where a government controls its citizens through continual surveillance.

The 4th Amendment: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Panopticon: first used by Jeremy Bentham as an architectual model in designing a prison. The concept follows that you could save money by building a circular prison with a singular tower in the middle for the guard. By keeping the guard in the dark and all the prisoners in the light, those being guarded could not tell when they were being watched.

Surveillance: In the middle ages, Surveillance was a man on a horse who was called a "scout." Now surveillance includes satellite imagery and aerial photography, sometimes from unmanned aircraft, and computer network hacking. Some more common, everyday surveillance techniques include eavesdropping, dumpster diving, video monitoring, and RFID.

Biometrics: automated methods of recognizing a person based on a physiological or behavioral characteristic. Among the features measured are; face, fingerprints, hand geometry, handwriting, iris, retinal, vein, and voice. Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions.

Iris Scanning is a method of biometric identification; pattern recognition is used to determine the identity of the subject. Iris scans create high-resolution images of the irides of the eye; IR illumination is used to reduce specular reflection from the cornea. The iris itself is a "good subject" for biometric identification, because it is an internal organ that is well protected, it is mostly flat and it has a fine texture that is unique even for identical twins.

RFID stands for Radio Frequency IDentification, a technology that uses tiny computer chips smaller than a grain of sand to track items at a distance. RFID "spy chips" have been hidden in the packaging of Gillette razor products and in other products you might buy at a local Wal-Mart, Target, or Tesco - and they are already being used to spy on people.

The VeriChip passive RFID device is the core of key VeriChip applications. About the size of a grain of rice, each VeriChip contains a unique verification number, which can be used to access a Subscriber-supplied database providing specific information. Once implanted just under the skin, via a quick, painless outpatient procedure (much like getting a shot), the VeriChip can be scanned when necessary with a proprietary VeriChip scanner. A small amount of radio frequency energy passes from the scanner energizing the dormant VeriChip, which then emits a radio frequency signal transmitting the individuals unique verification (VeriChipID) number.