This is how you kill facebook…(or at least cause them to lose some money)

How does one damage facebook to cause them serious monetary losses?  I was recently posed this question and did not have an immediate response.  It is an intimidating question considering facebook’s pervasive ubiquity throughout the world.  facebook is a massive giant with perpetually endless resources and support.  It defines the success of social media in the virtual space.

When I was first thinking about this question I was too heavily focusing on it from a low level technical perspective.  I was devising overly complex ideas that were unreasonable and could by no means challenge the colossal beast facebook is today.  Eventually I had to take a step back and think about it at a high level.  Upon thinking about if further, I believe I have come up with something that is really quite simple and wouldn’t be difficult for an organization with adequate resources to pull off.

Let me begin by first acknowledging that the following ideas are by no means novel.  Yet these independent, unrelated concepts formulate an innovative idea once amalgamated together.

Often times facebook is viewed as a ‘social networking‘ service provider.  I prefer to look at facebook as an identity service where users can autonomously stand up an identity that facilitates social networking.  Users rely upon this identity service to interface with people they know (or don’t know) from the real world in a virtual environment.  Fundamentally, facebook users must trust facebook’s identity service otherwise the system fails.  When users can longer trust this service they will go elsewhere and facebook will lose money.

So, how does one attack this identity service??

In recent months we have seen individuals stand up both twitter and facebook profiles that fraudulently pose as celebrities.  This causes a number of problems for service providers because users can no longer adequately trust the identity service they rely on.  Questions arise regarding how do I know if I’m really communicating, following, friend’ing, etc. the real person, or someone claiming to be said real person, in a virtual environment?  How can I trust someone is who they say they are?  This comes back to one of the hardest problems to solve in computer security.  Identity management.

As a facebook adversary (or adversary of another organization and leveraging facebook as an attack medium…which I will get into in a minute), it is important to create identity ambiguity on a grand scale.  Just because a few randomly selected individuals have multiple accounts, one that is actually legitimate, and others that are fraudulent, the damage to facebook’s reputation as an identity service provider will likely not be tarnished.  It is imperative for these fraudulent accounts to become widespread.  The facebook population is absolutely mammoth so I do not expect all users or members of their social circles to be effected, but rather enough to raise some red flags, jeopardize user trust in facebook’s service, and cause some users to stop using it.

So, how does an adversary initiate the rampant creation of fraudulent facebook accounts?

Many of those who study virtual worlds and MMORPGs are familiar with the concept of gold farming.

Gold farming is a general term for an MMORPG activity in which a player attempts to acquire (“farm”) items of value which are sold to create stocks of in-game currency (“gold”), usually by exploiting repetitive elements of the game’s mechanics. This is usually accomplished by carrying out in-game actions (such as killing an important creature) repeatedly to maximize gains, sometimes by using a program such as a bot or automatic clicker. More broadly, the term “gold farmer” could refer to a player of any type of game who repeats mundane actions over and over in order to collect in-game currency and items. An organization which organizes farmers is known by some as a sweatshop, though the less value-laden term is “workshop” or “gold farm”.

A motivated adversary or organization (perhaps a facebook competitor) with adequate resources could stand up a fraud farm composed of cheap laborers.  These fraud farms and their fraud farmers could repetitively stand up fraudulent facebook accounts.  These fraudulent accounts would mimic legitimate accounts.  Their pictures, their information, etc. however they would require a different email address.  It would not be difficult for a fraud farmer to stand up name appropriate user email addresses to impersonate real ones for real accounts.  Also, in many cases, fraud farmers would need to befriend their targets to obtain the information necessary for standing up acceptable fraudulent accounts.  We already know how many individuals have no problem accepting friend requests from people they don’t know.  They would probably be more inclined to accept friend requests from individuals with the same name.  “Wow, this person has the same name as me, how cool!”  This really is how many people think.  Once this relationship exists, the fraud farmer  has the tools necessary to stand up a counterfeit account.

For previously existing relationships between individuals on a social network, determining real accounts of friends versus fake accounts would be trivial.  However, it becomes interesting in cases in which new relationships between individuals are being established.  It becomes particularly interesting when new relationships are established between individuals from the same organization.

Lets say perhaps I have a fairly large fraud farming operation in some third world country and I’ve decided to target Goldman Sachs.  It would be easy to establish facebook friendships with legitimate Goldman Sachs employees via friend’ing them with fraudulent accounts that impersonate other real Goldman Sachs employees.  In this case, facebook is being leveraged as an attack medium for an outsider to interface with real, internal, employees.  Think about all the things a fraud farming unit could potentially do with these trust relationships???  The possibilities are endless.

Eventually some users and some organizations would lose faith in the identity service facebook is providing.  In extreme cases, organizations may even go so far as to ban employees from even having accounts!  Think about all the press something like that would get.  If anything, it would certainly raise questions regarding the risks of facebook and their services.

I exaggerate a bit with this post’s title.  Chances are this would not kill facebook….but it would certainly cost them money.  Not only that, this concept also turns facebook into a powerful weapon to target other organizations.  It could cause these organizations devastating financial and information losses.

It is becoming apparent that social media and virtual relationships have serious security implications for individuals and their organizations.  These trends begin to pose the security questions of tomorrow.

Read Full Post »

The Evolution of Social Media and Relational Modeling

Alternate reality gaming (ARG) is a relatively new trend beginning to gain serious traction.  At its fundamental core, an ARG is simply a communication rich, collaboration environment that coalesces the real world and virtual space.  An alternate reality game bridges the metaphysical disconnects between the two environments.

I recently began using foursquare.  The folks over there tout foursquare as 50% friend-finder, 30% social cityguide, 20% nightlife game.  Foursquare provides a virtual world, that interfaces with the real world.  Registered users use Foursquare to connect with friends, update their location (“checking in”), describe what they are doing, and receive points for doing so.  The point system and earning badges (the gaming aspect), provide users incentive to do and try new things.  Additionally, it encourages them to share information.  “You should check out this bar and try their microbrew!”  Users themselves provide knowledge rich information specific to a target location.  The community makes the system more intelligent and capable of meeting profound knowledge management needs.

From a security perspective, the question I find myself asking, what utility can be found in this information?  Instead of focusing upon it at a micro-level (privacy, dangers of sharing location, social engineering, phishing, etc) it is far more interesting to look at it from a macro-level.

A paradigm shift in social media is coming in which the real world and virtual space interact together as a singular entity.  This entity is comprised of three fundamental components; people, location, and knowledge.  These three components lay the foundation for a dynamic, living, breathing system that evolves over time.  The system evolves around how these components are built and structured around each other.  It is somewhat analogous to an iterative mathematical process in which operators and operands are used to create complex equations and theorems over time.  These complex equations and theorems can then be used as the foundation for future equations and theorems…and so on, and so on.

What is most interesting are the relationships that form between people, location, and knowledge.  These relationships build around each other to create profoundly rich links and ties that essentially act as the system’s DNA.

With all of this information, security folks could create models to uncover interesting relationships between individuals, location, and the knowledge associated with them.  One could then simulate potential outcomes by incorporating variables into the model.  This would enable security professionals to predict future relationships between individuals and their locations and thus reveal common threat indicators and patterns.  These models used for exploring existing relationships and simulating future relationships (based on variable inputs) would, with hope, provide cogent foresight for law enforcement.

Read Full Post »