New tools capable of quickly finding, gathering and correlating information about individuals from social networking sites and other public sources are giving online scammers a powerful new weapon, say security researchers.
The tools allow potential attackers to build detailed profiles of individuals by finding and piecing together bits and pieces of information about them scattered on social sites and other public forums. The information can then be used in highly targeted, “spear-phishing” scams and other attacks against individuals and enterprises, they said.
Two companies providing such tools are Core Security Technologies Inc., with its Exomind application, and Paterva, with its Maltego product. Exomind is designed to find, combine and correlate information on individuals and groups of individuals from across multiple social networking sites. It can be used to build a concise portrait of an individual and to identify key relationships with others on social networks and in the real world, said Ariel Waissbein, head of CoreLabs, the R&D unit of Core Security.
Paterva describes Maltego as an open source intelligence and forensics application that can import and correlate data from almost any publicly available online source, including social networks, search engines and PGP key databases. A community edition of the tool also can be downloaded.
The application can be used to determine relationships and real-world connections between people, groups of people such as those in a social network, companies and Web sites. It can also be used to find links between domains, DNS names, IP addresses and even documents and files on the Internet.
For instance, the tools can be used to develop a list of Gmail users at the National Security Agency, find which NASA employees are using MySpace, or to attach e-mail addresses to phone numbers. A graphical user interface presents the information visually.
Paterva claims more than 5,000 users in the security, forensics and law enforcement industries. Maltego has typically been used in tasks such as mapping corporate and social networks and performing information footprints on corporations.
Exomind can also be used to profile the vocabulary that individuals use in their interactions with others on social networking sites, Waissbein said. The information can be used to impersonate a co-worker, business partner or customer — right down to the particular vocabulary of that person.
“Exomind is a framework that allows us to do open-source intelligence over social networks,” Waissbein said. It is a tool that can be used to understand, and then take advantage of, the trusted relationships that exist within a social networking site, he said. “It does not help anyone to compromise a system, but (it) provides you with tools to leverage trust relationships.”
Exomind was developed to understand social networks' negative impacts on privacy, he said. “In general, by anticipating what bad guys can do and proposing counter-measures we help the larger Internet community.”
Hugh Thompson, program committee chairman and a member of the RSA Conference Board, said that the intelligence that such tools can help gather from social and other sites poses an emerging risk for enterprises.
Employees can directly or indirectly disclose a lot of information about their companies on social sites that can compromise company information or security, he said.
For example, an employee suddenly changing social networking relationships, or new relationships between employees of two different companies could signal an impending partnership between the two companies. A Twitter message from Bentonville, Ark., about a meeting with a company headquartered there could signal a new or blossoming relationship with Wal-Mart, he said.
Similarly, a sudden increase in the number of job seekers from within a company could signal impending layoffs, Thompson said. “If you suddenly see people recommending a number of other people, it could mean they are hoping for some reciprocity, maybe because they are looking for a job,” Thompson said.
“If you see this behavior from one person, that doesn't tell you much. But if you see it across five or 10 people who are all in the same group,” that could be an indicator of a broader trend, he said.
The availability of such tools highlights the need for individuals to be especially careful about what they disclose on social networking sites.
The tools enable easier discovery — and correlation of seemingly random bits of data — to uncover previously undetected relationships and trends, he said. Even if users don't reveal sensitive data outright, they often reveal enough about themselves and their workplaces in different sites to enable a profile to be built, Thompson said.
“Nobody has really understood the risk of data being correlated” from across multiple sites in the manner enabled by tools like Maltego and Exomind, Thompson said. “People tend to put business-related things on LinkedIn but then have this weird mix of personal and business information [on sites such as Facebook.]”
Ira Winkler, president of the Internet Security Advisors Group, author of Spies Among Us and a Computerworld columnist, said, “Frankly the tools suck from a protecting-your-privacy perspective.”
“These things are inevitable, but they basically lower the bar for performing more advanced attacks like spear phishing and the like,” Winkler said.