Unhypnotized
Truth feeder
From http://sans.org/reading_room/whitepapers/privacy/disney-princess-you_33328
Social engineering for identity theft
has always been around. But now, with the advent of social networking sites such as Facebook, MySpace, and a host of others, it has become easier than ever to harvest personal information from unsuspecting targets. This post looks into just how much personal information can be gathered by the seemingly harmless “What type of personality are you?” quizzes that are so prevalent on social networking sites. The paper will then look at what the information could be used for, and how to protect against this particular vector of social engineering.
1. Introduction
Social engineering takes many form; some obvious, some not so obvious. One
not so obvious form is that of questionnaires—be it a knock on the door to answer a
survey for a “census” worker, or a “harmless” quiz found on a social networking site.
Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
The following example of an unedited quiz recently found on a popular social
networking website illustrates just how seemingly unsuspecting, yet powerful, these
questionnaires can be.
What does your password say about you?
Is your password good or is it easily going to be hacked and also what does it say about you?
1. How long is your password?
A) 3-5 letters/numbers
B) 6-8 letters/numbers
C) 11-14 letters /numbers
D) 9-10 letters/numbers
2. Is your password your name with some other numbers or somebody in the
family?
A) Yep
B) No way! That’s too easy for me!
C) Its exactly my name
D) It’s my family members name with some other numbers.
3. Does your password have any numbers?
A) Yea, it’s all numbers actually!
B) Yea it’s got a couple of mixed up numbers.
C) Nope!
D) Yea one number!
4. Has your password/account have ever been [sic] hacked into?
A) No never!
B) No but I told one of my friends it.
C) Yea once.
D) Twice actually.
* (Apps.Facebook.com)
According to the quiz statistics, eight-hundred people have already taken this
particular quiz. (Apps.Facebook.com) What is remarkably staggering, is that while a quiz
of this nature seems relatively harmless at first glance, the amount of information that can be captured, compiled, correlated, and acted upon with harmful results to the end user is quite large. What the end user does not realize is that even a seemingly harmless quiz like this is a form of social engineering.
Definition and History of Social Engineering
Ian Mann, (2008) author of “Hacking the Human,” defines social engineering as
the following: “To manipulate people by deception, into giving out information, or
performing an action” (p. 11). This definition encompasses not only the gleaning of
information, but also the possibility of “performing an action.” In general terms, when
social engineering is thought of, it is usually in relation to harvesting information and not necessarily in relation to performing an action. For example, if a security guard is
manipulated into allowing an attacker through a security checkpoint, the attacker has not gained any particular information. However, they have manipulated the security guard into allowing them into an area (performing an action) where they were not authorized to be. (Mann, 2008)
Social engineering has been around since the beginning of time. In fact, one of the
earliest documented examples of a phishing attack can be found in The Old Testament.
In Genesis 27, Isaac had gone blind in his old age, and was on his deathbed. After his
wife heard that he wanted to give the family blessing to the eldest son, she told their
youngest son, Jacob, to go and deceive his father and receive the blessing instead.
The problem was that the eldest son was a very hairy man, and Jacob was not. To deceive Isaac, Jacob covered himself in goatskins. This deception worked, and Isaac blessed Jacob instead of his eldest son. In this example, Isaac had fallen prey to what is known as a simple phishing scheme. (Dang, 2008)
Throughout history up to the modern day, there have been countless other
examples which illustrate the effectiveness of social engineering. In the story of the
Trojan horse of the Greeks, the Trojans had fallen prey to the Greek’s social engineering
tactics through their own over-confidence and gullibility. (Dang, 2008) Twentieth
century social engineers, such as Frank Abaganale, portrayed in the movie, “Catch Me if you Can,” pulled off astonishing stunts through social engineering methods. And Kevin
Mitnick, one of the most well-known social engineers of the modern era, uttered these
words as he was testifying before Congress of his misdeeds: “I explained that I could
often get passwords and other pieces of sensitive information from companies by
pretending to be someone else and just asking for it.” (Mitnick, 2002)
Current Day Social Engineering
With the advent of the Internet and the rapid advancement in mobile
telecommunications devices and communications platforms, social engineering has, and
continues to be, more prevalent than ever before. One major reason for this is that there is far less risk to social engineer across the Internet than in person. (Mann, 2008)
Consider the personal risk, such as arrest or fines, between the following two social
engineering scenarios: 1) An attacker social engineering their way into a physical “audit” of Company X, looking for an exploitable vulnerability to siphon their intellectual
property out. 2) An attacker social engineering their way into Company X by sending a
targeted phishing e-mail (spear phishing), to an employee, gaining their remote login
credentials to access Company X’s intellectual property over the Internet. Obviously, the personal risk would be much less in the second scenario.
Current day social engineering vectors take on many forms. They can vary from
in-person exchanges, to over the phone conversations, through e-mail, or even through
online social networking sites
Social Engineering on Social Networking Sites
As the Internet continues to evolve, new and unique social engineering
opportunities continue to come to light, such as the “Web 2.0” social networking sites.
MySpace, Facebook, and Orkut, are just a few of the more popular examples of such sites that are among the most widely used today. These social networking sites are a gold mine for social engineering attacks as there is oftentimes an implicit trust assumed in the “befriending” of someone the user may or may not know that well.
One particular social engineering vector that is often found on many of the widely
used social networking sites today is the “What Type of Personality are You?” quiz.
These types of quizzes when taken by the end user will oftentimes yield a specific result, such as what Lord of The Rings character they are, or how long they will live, or who they are most compatible with. On the outside, they appear harmless and fun to the end user, and provide an entertainment value that is enticing, to say the least. However, on a deeper level, the quizzes themselves are one of the most insidious vectors of social
Key
fingerprint
=
AF19
FA27
2F94
998D
FDB5
DE3D
F8B5
06E4
A169
4E46
6
Joshua Brower,
Josh@ToTheLastTribe.com
engineering on social networks, because of the type and sheer amount of information
gathered, and who has access to it. With these quizzes, the information is gathered in
small amounts, in very unsuspecting ways, and the end user has absolutely no idea who
has access to it. At least when a user adds an application on Facebook, it asks the user’s permission to give the developers access to their information. Consider the following example:
Which would more likely give a user pause?
Facebook option to allow access to Daily Horoscope?
or
What Princess Bride Character are you?
Which High School Stereotype do you indentify with?
(List of 8 character types)
More than likely, the first example would be the one to make a user pause and
consider their actions, rather than the harmless quiz pictured in the second example. As
such, the focus of this paper will look at, and concentrate on this particular vector of
social engineering on social networks.
Background
Although there are a number of social networking websites on the Internet, out of
all of them, Facebook is currently the most-widely used. Numbers show, that as of
February 2010, Facebook has four-hundred million active users. (Facebook.com) Recent
reports show MySpace as having approximately sixty-six million active users
(Insidefacebook.com), and Orkut at nearly fifty million active users. (Orkut.com)
Facebook also provides an open API for developers to write their own applications,
making Facebook the most prevalent social networking site for these types of quizzes.
After considering the above reasons, it was decided to use Facebook as the social
networking website of choice for the research, instead of the other social networking
websites.
Goals & Procedures
The goal of the following procedure was to take a passive look into what quizzes
users have already taken, and compile the results from the questions asked. In this
scenario, five Facebook users were profiled. Next, all of the quizzes that the five users
had taken over a two month span were noted and, using a sample Facebook account,
those same quizzes were taken with the questions being noted. Finally, using the
questions from the quizzes that each profiled user had taken, a personal profile was built.
Since it was not possible to know exactly how each user had answered each question, the profiles were generated by using possible answers. Keep in mind that the quiz creator would know exactly how the users had answered. Finally, this procedure assumes a few things. As mentioned earlier, since the user allowed the quiz access to their Facebook profile, the developers of the application also have access to a lot more information, such as pictures, status updates, etc. For this procedure, and the remainder of this paper, it will be assumed that the developers of the quizzes also know
1) The e-mail of the user, and 2) The name of the user. It may be that the developer knows a lot more, but for our purposes, this is all that needs to be assumed
Results
For each Facebook user that was profiled, the answers to the questions on the
quizzes have been compiled, and a simulated target profile of each was built as follows:
Target #1 Profile
Information from Allowing Quiz Access to Profile
Name: Tiffany Radenberg
E-mail: tiffr83@gmail.com
Information from Quizzes
Basic Personal
Gender: Female
Birthday: Dec 12, 1983
Age: 26
Hair Color: Brown
Eye Color: Brown
Favorites
Favorite Color: Red
Favorite Music: Country
Favorite Animal: Horses
Personality
-Has at least 1 child, would like to have more kids
-Usually dresses nice, but casual
-Religious, to some extent (Prays before meals) -Organized
-Greatest Fear: That harm will befall loved ones
-Perfectionist
-OCD to some extent
6Competitive
6Independent
Target #2 Profile
Information from Allowing Quiz Access to Profile
Name: Jeff Luken
E-mail: vegies539@hotmail.com
Information from Quizzes
Basic Personal
Gender: Male
Birthday: November 13, 1979
Favorites
Favorite Drink: Smoothies
Favorite Ice Cream: Cooke Dough
Favorite Color: Blue
Favorite Musician: Weird Al Yankovic
Favorite Genre of Music: Classical
Favorite Movie: E.T.
Favorite Olympic Sport: Curling
Favorite Sport: Lacrosse
Personality
-Vegetarian
-Loves History & Non-Fiction books
-Drives a Volkswagen Bug
-Real Life Hero is Barack Obama
-Believes that self-defense is the only acceptable form of violence
Target #3 Profile
Information from Allowing Quiz Access to Profile
Name: Mellissa Ourthe
E-mail: mali437@Juno.com
Information from Quizzes
Basic Personal
Height: 5’1”
Hair: Blonde and Wavy
Eyes: Brown
Pierced Nose
Favorites
Favorite Color: Purple
Favorite Candy: Reese’s Peanut Butter Cups
Favorite food: Mexican
Favorite drink: Soda
Favorite Movie: Wall-E & Finding Nemo
Favorite Animal: Cats
Personality
-Drives a minivan
-Most important thing is family
-Always carries cell phone with her
-Self-proclaimed procrastinator
Target #4 Profile
Information from Allowing Quiz Access to Profile
Name: Blake Keyes
E-mail: coldandchilly73@Yahoo.com
Information from Quizzes
Basic Personal
N/A
Favorites
Favorite TV Show: Heroes
Favorite Beverage: Black Coffee
Favorite Movie: Terminator
Favorite type of food: Italian
Personality
We know they have a family and they love to spend time with them.
Last vacation went camping and hiking
Target #5 Profile
Information from Allowing Quiz Access to Profile
Name: Megan Jergens
E-mail: easygirlz174@yahoo.com
Information from Quizzes
Basic Personal
Gender: Female
Birthday: March 15, 1988
Age: 21
Hair Color: Blonde
Eye Color: Green
Lives in Defiance, Ohio
Favorites
Favorite Color: Pink
Favorite Music: Pop
Favorite Movie: Save the Last Dance
Favorite Animal: Cat
Favorite Flavor: Vanilla
Personality
-Dreams of working as a personal trainer
-Does not want kids
-Is not close with her family
-Curses a lot, mainly “****”
-Does not like to cook
-Loves Material Girl by Madonna
-*‐Sleeps on her back, facing the ceiling
-*‐Snores
-*‐Usually goes to bed between 8-*‐9pm or earlier
-*‐Drives a white 97 Oldsmobile Cutlass
-*‐Has a credit card
Taking It to the Next Level
As can be seen from the previous profiles, the first procedure garnered a very rich
set of results to work with. To really take this particular social engineering vector to the next level, the goal of this next procedure would be to actively create a situation for users to take the quizzes like usual, but also be able to consolidate their results across multiple quizzes. Finally, a report would be able to be run on any given quiz taker.
This could be accomplished by creating a Facebook application that allows users
to both take and create quizzes. There are currently well over fifty of these types of
applications available on Facebook. The difference is thus: As a user takes a quiz, the
application contacts a back-end database that creates a unique ID for the user, and stores all of the answers to the quiz that the user is taking. It does this for every quiz that the user takes. To generate a profile for a user, a report is run that pulls all the information in the database for a given user, runs algorithms on it that categorizes and consolidates the data, formats it, and displays it for viewing. Considering that the top three quiz applications have over thirty-two million active users, the quantity of data that could be mined for each user is staggering.
Source:
http://sans.org/reading_room/whitepapers/privacy/disney-princess-you_33328
Social engineering for identity theft
has always been around. But now, with the advent of social networking sites such as Facebook, MySpace, and a host of others, it has become easier than ever to harvest personal information from unsuspecting targets. This post looks into just how much personal information can be gathered by the seemingly harmless “What type of personality are you?” quizzes that are so prevalent on social networking sites. The paper will then look at what the information could be used for, and how to protect against this particular vector of social engineering.
1. Introduction
Social engineering takes many form; some obvious, some not so obvious. One
not so obvious form is that of questionnaires—be it a knock on the door to answer a
survey for a “census” worker, or a “harmless” quiz found on a social networking site.
Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.
The following example of an unedited quiz recently found on a popular social
networking website illustrates just how seemingly unsuspecting, yet powerful, these
questionnaires can be.
What does your password say about you?
Is your password good or is it easily going to be hacked and also what does it say about you?
1. How long is your password?
A) 3-5 letters/numbers
B) 6-8 letters/numbers
C) 11-14 letters /numbers
D) 9-10 letters/numbers
2. Is your password your name with some other numbers or somebody in the
family?
A) Yep
B) No way! That’s too easy for me!
C) Its exactly my name
D) It’s my family members name with some other numbers.
3. Does your password have any numbers?
A) Yea, it’s all numbers actually!
B) Yea it’s got a couple of mixed up numbers.
C) Nope!
D) Yea one number!
4. Has your password/account have ever been [sic] hacked into?
A) No never!
B) No but I told one of my friends it.
C) Yea once.
D) Twice actually.
* (Apps.Facebook.com)
According to the quiz statistics, eight-hundred people have already taken this
particular quiz. (Apps.Facebook.com) What is remarkably staggering, is that while a quiz
of this nature seems relatively harmless at first glance, the amount of information that can be captured, compiled, correlated, and acted upon with harmful results to the end user is quite large. What the end user does not realize is that even a seemingly harmless quiz like this is a form of social engineering.
Definition and History of Social Engineering
Ian Mann, (2008) author of “Hacking the Human,” defines social engineering as
the following: “To manipulate people by deception, into giving out information, or
performing an action” (p. 11). This definition encompasses not only the gleaning of
information, but also the possibility of “performing an action.” In general terms, when
social engineering is thought of, it is usually in relation to harvesting information and not necessarily in relation to performing an action. For example, if a security guard is
manipulated into allowing an attacker through a security checkpoint, the attacker has not gained any particular information. However, they have manipulated the security guard into allowing them into an area (performing an action) where they were not authorized to be. (Mann, 2008)
Social engineering has been around since the beginning of time. In fact, one of the
earliest documented examples of a phishing attack can be found in The Old Testament.
In Genesis 27, Isaac had gone blind in his old age, and was on his deathbed. After his
wife heard that he wanted to give the family blessing to the eldest son, she told their
youngest son, Jacob, to go and deceive his father and receive the blessing instead.
The problem was that the eldest son was a very hairy man, and Jacob was not. To deceive Isaac, Jacob covered himself in goatskins. This deception worked, and Isaac blessed Jacob instead of his eldest son. In this example, Isaac had fallen prey to what is known as a simple phishing scheme. (Dang, 2008)
Throughout history up to the modern day, there have been countless other
examples which illustrate the effectiveness of social engineering. In the story of the
Trojan horse of the Greeks, the Trojans had fallen prey to the Greek’s social engineering
tactics through their own over-confidence and gullibility. (Dang, 2008) Twentieth
century social engineers, such as Frank Abaganale, portrayed in the movie, “Catch Me if you Can,” pulled off astonishing stunts through social engineering methods. And Kevin
Mitnick, one of the most well-known social engineers of the modern era, uttered these
words as he was testifying before Congress of his misdeeds: “I explained that I could
often get passwords and other pieces of sensitive information from companies by
pretending to be someone else and just asking for it.” (Mitnick, 2002)
Current Day Social Engineering
With the advent of the Internet and the rapid advancement in mobile
telecommunications devices and communications platforms, social engineering has, and
continues to be, more prevalent than ever before. One major reason for this is that there is far less risk to social engineer across the Internet than in person. (Mann, 2008)
Consider the personal risk, such as arrest or fines, between the following two social
engineering scenarios: 1) An attacker social engineering their way into a physical “audit” of Company X, looking for an exploitable vulnerability to siphon their intellectual
property out. 2) An attacker social engineering their way into Company X by sending a
targeted phishing e-mail (spear phishing), to an employee, gaining their remote login
credentials to access Company X’s intellectual property over the Internet. Obviously, the personal risk would be much less in the second scenario.
Current day social engineering vectors take on many forms. They can vary from
in-person exchanges, to over the phone conversations, through e-mail, or even through
online social networking sites
Social Engineering on Social Networking Sites
As the Internet continues to evolve, new and unique social engineering
opportunities continue to come to light, such as the “Web 2.0” social networking sites.
MySpace, Facebook, and Orkut, are just a few of the more popular examples of such sites that are among the most widely used today. These social networking sites are a gold mine for social engineering attacks as there is oftentimes an implicit trust assumed in the “befriending” of someone the user may or may not know that well.
One particular social engineering vector that is often found on many of the widely
used social networking sites today is the “What Type of Personality are You?” quiz.
These types of quizzes when taken by the end user will oftentimes yield a specific result, such as what Lord of The Rings character they are, or how long they will live, or who they are most compatible with. On the outside, they appear harmless and fun to the end user, and provide an entertainment value that is enticing, to say the least. However, on a deeper level, the quizzes themselves are one of the most insidious vectors of social
Key
fingerprint
=
AF19
FA27
2F94
998D
FDB5
DE3D
F8B5
06E4
A169
4E46
6
Joshua Brower,
Josh@ToTheLastTribe.com
engineering on social networks, because of the type and sheer amount of information
gathered, and who has access to it. With these quizzes, the information is gathered in
small amounts, in very unsuspecting ways, and the end user has absolutely no idea who
has access to it. At least when a user adds an application on Facebook, it asks the user’s permission to give the developers access to their information. Consider the following example:
Which would more likely give a user pause?
Facebook option to allow access to Daily Horoscope?
or
What Princess Bride Character are you?
Which High School Stereotype do you indentify with?
(List of 8 character types)
More than likely, the first example would be the one to make a user pause and
consider their actions, rather than the harmless quiz pictured in the second example. As
such, the focus of this paper will look at, and concentrate on this particular vector of
social engineering on social networks.
Background
Although there are a number of social networking websites on the Internet, out of
all of them, Facebook is currently the most-widely used. Numbers show, that as of
February 2010, Facebook has four-hundred million active users. (Facebook.com) Recent
reports show MySpace as having approximately sixty-six million active users
(Insidefacebook.com), and Orkut at nearly fifty million active users. (Orkut.com)
Facebook also provides an open API for developers to write their own applications,
making Facebook the most prevalent social networking site for these types of quizzes.
After considering the above reasons, it was decided to use Facebook as the social
networking website of choice for the research, instead of the other social networking
websites.
Goals & Procedures
The goal of the following procedure was to take a passive look into what quizzes
users have already taken, and compile the results from the questions asked. In this
scenario, five Facebook users were profiled. Next, all of the quizzes that the five users
had taken over a two month span were noted and, using a sample Facebook account,
those same quizzes were taken with the questions being noted. Finally, using the
questions from the quizzes that each profiled user had taken, a personal profile was built.
Since it was not possible to know exactly how each user had answered each question, the profiles were generated by using possible answers. Keep in mind that the quiz creator would know exactly how the users had answered. Finally, this procedure assumes a few things. As mentioned earlier, since the user allowed the quiz access to their Facebook profile, the developers of the application also have access to a lot more information, such as pictures, status updates, etc. For this procedure, and the remainder of this paper, it will be assumed that the developers of the quizzes also know
1) The e-mail of the user, and 2) The name of the user. It may be that the developer knows a lot more, but for our purposes, this is all that needs to be assumed
Results
For each Facebook user that was profiled, the answers to the questions on the
quizzes have been compiled, and a simulated target profile of each was built as follows:
Target #1 Profile
Information from Allowing Quiz Access to Profile
Name: Tiffany Radenberg
E-mail: tiffr83@gmail.com
Information from Quizzes
Basic Personal
Gender: Female
Birthday: Dec 12, 1983
Age: 26
Hair Color: Brown
Eye Color: Brown
Favorites
Favorite Color: Red
Favorite Music: Country
Favorite Animal: Horses
Personality
-Has at least 1 child, would like to have more kids
-Usually dresses nice, but casual
-Religious, to some extent (Prays before meals) -Organized
-Greatest Fear: That harm will befall loved ones
-Perfectionist
-OCD to some extent
6Competitive
6Independent
Target #2 Profile
Information from Allowing Quiz Access to Profile
Name: Jeff Luken
E-mail: vegies539@hotmail.com
Information from Quizzes
Basic Personal
Gender: Male
Birthday: November 13, 1979
Favorites
Favorite Drink: Smoothies
Favorite Ice Cream: Cooke Dough
Favorite Color: Blue
Favorite Musician: Weird Al Yankovic
Favorite Genre of Music: Classical
Favorite Movie: E.T.
Favorite Olympic Sport: Curling
Favorite Sport: Lacrosse
Personality
-Vegetarian
-Loves History & Non-Fiction books
-Drives a Volkswagen Bug
-Real Life Hero is Barack Obama
-Believes that self-defense is the only acceptable form of violence
Target #3 Profile
Information from Allowing Quiz Access to Profile
Name: Mellissa Ourthe
E-mail: mali437@Juno.com
Information from Quizzes
Basic Personal
Height: 5’1”
Hair: Blonde and Wavy
Eyes: Brown
Pierced Nose
Favorites
Favorite Color: Purple
Favorite Candy: Reese’s Peanut Butter Cups
Favorite food: Mexican
Favorite drink: Soda
Favorite Movie: Wall-E & Finding Nemo
Favorite Animal: Cats
Personality
-Drives a minivan
-Most important thing is family
-Always carries cell phone with her
-Self-proclaimed procrastinator
Target #4 Profile
Information from Allowing Quiz Access to Profile
Name: Blake Keyes
E-mail: coldandchilly73@Yahoo.com
Information from Quizzes
Basic Personal
N/A
Favorites
Favorite TV Show: Heroes
Favorite Beverage: Black Coffee
Favorite Movie: Terminator
Favorite type of food: Italian
Personality
We know they have a family and they love to spend time with them.
Last vacation went camping and hiking
Target #5 Profile
Information from Allowing Quiz Access to Profile
Name: Megan Jergens
E-mail: easygirlz174@yahoo.com
Information from Quizzes
Basic Personal
Gender: Female
Birthday: March 15, 1988
Age: 21
Hair Color: Blonde
Eye Color: Green
Lives in Defiance, Ohio
Favorites
Favorite Color: Pink
Favorite Music: Pop
Favorite Movie: Save the Last Dance
Favorite Animal: Cat
Favorite Flavor: Vanilla
Personality
-Dreams of working as a personal trainer
-Does not want kids
-Is not close with her family
-Curses a lot, mainly “****”
-Does not like to cook
-Loves Material Girl by Madonna
-*‐Sleeps on her back, facing the ceiling
-*‐Snores
-*‐Usually goes to bed between 8-*‐9pm or earlier
-*‐Drives a white 97 Oldsmobile Cutlass
-*‐Has a credit card
Taking It to the Next Level
As can be seen from the previous profiles, the first procedure garnered a very rich
set of results to work with. To really take this particular social engineering vector to the next level, the goal of this next procedure would be to actively create a situation for users to take the quizzes like usual, but also be able to consolidate their results across multiple quizzes. Finally, a report would be able to be run on any given quiz taker.
This could be accomplished by creating a Facebook application that allows users
to both take and create quizzes. There are currently well over fifty of these types of
applications available on Facebook. The difference is thus: As a user takes a quiz, the
application contacts a back-end database that creates a unique ID for the user, and stores all of the answers to the quiz that the user is taking. It does this for every quiz that the user takes. To generate a profile for a user, a report is run that pulls all the information in the database for a given user, runs algorithms on it that categorizes and consolidates the data, formats it, and displays it for viewing. Considering that the top three quiz applications have over thirty-two million active users, the quantity of data that could be mined for each user is staggering.
Source:
http://sans.org/reading_room/whitepapers/privacy/disney-princess-you_33328