Computer security professionals tend to be a highly paranoid bunch, seeing potential threats everywhere. It turns out that some aren't cautious enough, though.
Two researchers demonstrated Thursday at the Black Hat hacking conference how they had gotten computer security experts to let their guard down online the same way they advise the average Internet user not to, especially on social networking Web sites.
A relatively simple ruse persuaded dozens of prominent security analysts to connect on their social networking Web pages with people who weren't friends at all. They were fake profiles, purportedly of other well-known security pros. The scam was designed to expose the trust that even some of the most skeptical Internet users display on some of the most insecure sites on the Web.
Some social networking sites can be dangerous because they allow people to post programming code — used for good or evil — on other people's pages. Even networking sites that don't allow that step carry their own security risks, because it's relatively easy for someone to masquerade as a "friend" who isn't actually friendly — and recommend malicious Web sites to click on.
The ruse concocted by Shawn Moyer, chief information security officer for Agura Digital Security, and Nathan Hamiel, senior consultant for Idea Information Security, worked like this:
They found prominent security figures who didn't have profiles on particular social networking Web sites.
They built up fake profiles by using information from press releases and news articles. Then they built up the profiles' authenticity by sending them around to people who indiscriminately add friends on those sites.
Finally, once the profiles looked legitimate, they identified groups of security professionals on those sites and sent their friend requests to them.
Moyer and Hamiel said they did it three times, each time impersonating a different person. Each time they lured in more than 50 new friends within 24 hours. Some of those people were chief security officers for major corporations and defense industry workers, they said. They declined to identify any of those people.
"We really were surprised at the level of trust we found — we didn't think we'd be as successful as we were," Moyer said. "Any one of these people would have happily clicked on a malware site or viewed our profile with a (data-stealing) Trojan application."
Moyer and Hamiel said they even landed an interview with a journalist who responded to one of their friend requests. But they got busted: the reporter sent an e-mail to the target's real profile page on another social-networking site and discovered the fraud.
Moyer and Hamiel emphasized that the talk wasn't intended to single out any particular social networking site. Many of them have the same security problems, and users need be cautious about verifying the people they add as friends.
Readers, i receive this email article from my friend. Yes, it is true no one could escape from the on line vulnerable scams. So, please take necessary steps to not to became victim of the same.
Analyse any request from any social networking before you accept it.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment