Web of trust case study

A couple of blogs back we were on the subject of the Web of Trust and Tinder Hacking.

An article today has a good example of how both can be used and abused.

It is important to note that low hanging fruit is fair game, by leveraging trust, any campaign is just as effective.

Key steps:

  • assume a trusted identity
  • leverage that trust to target associations (friends)
  • SocEng: Use a time limited situation (ie: an emergency) for personal gain

Not everything is what they seem.

Countermeasures:

  • Out of band: call them, email them but don’t reply to the message (online dating, remember the burn phone)
  • Ignore: if it’s important, they will try again (use best judgement! If it is an emergency, get in touch with a next of kin, etc)

http://www.bbc.co.uk/news/technology-27922710

Free internet: it comes at a cost

It is a well known fact in security circles that if you were to do anything at all over an ‘untrusted network’ you must use some sort of countermeasure to ensure that you are not being watched.

Countermeasures include usually mean encryption that is, some sort of strong encoding that only you and the other party would know.

Free internet can be setup by anyone, any where, and is very hard to verify unless if you happen to be in the know.

Anything passing through it could be intercepted and analysed by the owner. It is giving your enemy a free lunch.

By using encryption, it only makes the analysis harder (if it is a well funded organisation, it may not be as hard)

The other and more important issue is our ‘trust‘ in applications, Dave Porcello CTO of Pwnie Express (company that make ‘interesting’ gear) said, “We just look for apps that work and trust them, because they help get work done

Applications are created by people, people are not perfect, applications are not perfect.

Application vendors are usually there to make money and do not always focus on privacy but yet we place our trust in them by giving them sensitive information which may include:

  • Name
  • Address
  • Date of birth
  • Geo location
  • Pictures
  • etc.

If the application developer is not taking steps to secure this information, then The Enemy will have a field day.

In short, if you don’t need the application, don’t use it. If you ‘do’ need the application, don’t give personal information (or use aliases…remember aliases?)

This article is a good case study:
http://arstechnica.com/security/2014/06/what-the-nsa-or-anyone-can-learn-about-you-from-internet-traffic/

Takeaways:

  • Don’t use free internet!
  • Use line/network encryption (a VPN does not always use encryption)
  • Badger your application developer to make sure their applications are created with security and privacy in mind
  • Use the latest version of any application you use

Your friend could be your weakest link

Picture this:

  • you were at a location that you were not supposed to be at.
  • a friend takes a snap and posts it on a social media site
  • your friend’s security setting is quite lax
  • the world can see that you were at that location
  • The Enemy(tm) searches for you but you have good OpSec so you’re ok
  • The Enemy(tm) expands their search for affliates, associations, etc.
  • The Enemy(tm) finds your friend
  • The Enemy(tm) finds your photo
  • sprung!

People that are connected to you form a web of trust. You trust them to be a connection whether it be friend, business associate, etc. These connections are people that you trust with a certain amount of information about you (online or otherwise).

Depending on your influence, your web of trust could be quite large, multi layered and complex.

As we’d like to keep things simple here, let’s say that your web of trust is online via a well known social networking site.

Now, if one of your connections were to be compromised, as shown by the opening example, you’ll have a lot of explaining to do.

As an attacker, our job is to find the weakest link and exploit it, even if that means finding your web of trust and use them as leverage to achieve a goal.

Naturally, if you’re a target, you may want to get tighten up your web of trust or communicate this scenario to your own web. Increasing the strength of your weakest link will increase the security of others on the whole.

There is even a tool to do find your web of trust:
http://www.theregister.co.uk/2014/06/03/rejected_researcher_builds_facebook_friends_harvester/

Web Links – Easy path to game over

Lots of news lately about old stuff…Cryptolocker, Zeus…

How does it all start?

Get an email, click on link, get malware, game over…

The email is generally a SocEng attempt to get you to click on the link:

  • Originating from an ‘authority’
  • A course of action is urgently required
  • Failure to comply will result in a ‘penalty’

Simple, don’t click on the link.

If in doubt, get a phone number and contact them directly.