Mitigating Threats to Critical Infrastructure via Mobile Computing and Geo Social Media
The following is an email I shot off to Roderick Jones @ MetaSecurity....I thought it may be worth sharing.
--snip--
was thinking about this last night, was curious to see if you had any thoughts...
so following the whole 60 mins debacle, vulnerabilities to critical infrastructure have been on every one's mind. it's a challenging problem. you have private entities that have no regulatory body requiring them to meet certain security standards (although dhs may have something). the incentive to adequately secure their infrastructure simply isn't there until their reputation is sullied and they begin to lose money - or even worse, the government comprehensively intervenes.
so here's what i am thinking. w/ mobile computing and geo social media on the verge of blowing up, we'll begin to have copious amounts of user submitted real-time information that is location relevant due to gps (whether it be twitter feeds, facebook feeds, whatever else comes down the pipe, etc) - there is obviously great value in mining this information - nothing new here, this is what you and i have already discussed.
what if we are able to mine this geo social, real-time info, and filter for key things like "power outage", "electricity went out", "stop lights have malfunctioned", etc. people will tweet this info and facebook it, simply because that's what people do. we stand up the platform and let the people fuel the engine.
algorithms could be devised to quantitatively determine if there may be a serious problem in a certain location. this would be based on the number of people to "tweet" or "facebook" info relative to their geo-coordinates. if we're getting a lot of user info speaking of outages in specific locations chances are we have an infrastructure issue - it may not be hackers but something is not working.
a system like this would pinpoint flaws or problems to our infrastructure and provide more transparency. instead of having big gov't get involved and try to regulate, let the people do it. a system like this would conspicuously acknowledge flaws in critical infrastructure and service providers would likely become more accountable.
does this make sense? you have anything thoughts?
Delicious
Digg
TechnoratiThis is how you kill facebook...(or at least cause them to lose some money)
How does one damage facebook to cause them serious monetary losses? I was recently posed this question and did not have an immediate response. It is an intimidating question considering facebook's pervasive ubiquity throughout the world. facebook is a massive giant with perpetually endless resources and support. It defines the success of social media in the virtual space.
When I was first thinking about this question I was too heavily focusing on it from a low level technical perspective. I was devising overly complex ideas that were unreasonable and could by no means challenge the colossal beast facebook is today. Eventually I had to take a step back and think about it at a high level. Upon thinking about if further, I believe I have come up with something that is really quite simple and wouldn't be difficult for an organization with adequate resources to pull off.
Let me begin by first acknowledging that the following ideas are by no means novel. Yet these independent, unrelated concepts formulate an innovative idea once amalgamated together.
Often times facebook is viewed as a 'social networking' service provider. I prefer to look at facebook as an identity service where users can autonomously stand up an identity that facilitates social networking. Users rely upon this identity service to interface with people they know (or don't know) from the real world in a virtual environment. Fundamentally, facebook users must trust facebook's identity service otherwise the system fails. When users can longer trust this service they will go elsewhere and facebook will lose money.
So, how does one attack this identity service??
In recent months we have seen individuals stand up both twitter and facebook profiles that fraudulently pose as celebrities. This causes a number of problems for service providers because users can no longer adequately trust the identity service they rely on. Questions arise regarding how do I know if I'm really communicating, following, friend'ing, etc. the real person, or someone claiming to be said real person, in a virtual environment? How can I trust someone is who they say they are? This comes back to one of the hardest problems to solve in computer security. Identity management.
As a facebook adversary (or adversary of another organization and leveraging facebook as an attack medium...which I will get into in a minute), it is important to create identity ambiguity on a grand scale. Just because a few randomly selected individuals have multiple accounts, one that is actually legitimate, and others that are fraudulent, the damage to facebook's reputation as an identity service provider will likely not be tarnished. It is imperative for these fraudulent accounts to become widespread. The facebook population is absolutely mammoth so I do not expect all users or members of their social circles to be effected, but rather enough to raise some red flags, jeopardize user trust in facebook's service, and cause some users to stop using it.
So, how does an adversary initiate the rampant creation of fraudulent facebook accounts?
Many of those who study virtual worlds and MMORPGs are familiar with the concept of gold farming.
Gold farming is a general term for an MMORPG activity in which a player attempts to acquire ("farm") items of value which are sold to create stocks of in-game currency ("gold"), usually by exploiting repetitive elements of the game's mechanics. This is usually accomplished by carrying out in-game actions (such as killing an important creature) repeatedly to maximize gains, sometimes by using a program such as a bot or automatic clicker. More broadly, the term "gold farmer" could refer to a player of any type of game who repeats mundane actions over and over in order to collect in-game currency and items. An organization which organizes farmers is known by some as a sweatshop, though the less value-laden term is "workshop" or "gold farm".
A motivated adversary or organization (perhaps a facebook competitor) with adequate resources could stand up a fraud farm composed of cheap laborers. These fraud farms and their fraud farmers could repetitively stand up fraudulent facebook accounts. These fraudulent accounts would mimic legitimate accounts. Their pictures, their information, etc. however they would require a different email address. It would not be difficult for a fraud farmer to stand up name appropriate user email addresses to impersonate real ones for real accounts. Also, in many cases, fraud farmers would need to befriend their targets to obtain the information necessary for standing up acceptable fraudulent accounts. We already know how many individuals have no problem accepting friend requests from people they don't know. They would probably be more inclined to accept friend requests from individuals with the same name. "Wow, this person has the same name as me, how cool!" This really is how many people think. Once this relationship exists, the fraud farmer has the tools necessary to stand up a counterfeit account.
For previously existing relationships between individuals on a social network, determining real accounts of friends versus fake accounts would be trivial. However, it becomes interesting in cases in which new relationships between individuals are being established. It becomes particularly interesting when new relationships are established between individuals from the same organization.
Lets say perhaps I have a fairly large fraud farming operation in some third world country and I've decided to target Goldman Sachs. It would be easy to establish facebook friendships with legitimate Goldman Sachs employees via friend'ing them with fraudulent accounts that impersonate other real Goldman Sachs employees. In this case, facebook is being leveraged as an attack medium for an outsider to interface with real, internal, employees. Think about all the things a fraud farming unit could potentially do with these trust relationships??? The possibilities are endless.
Eventually some users and some organizations would lose faith in the identity service facebook is providing. In extreme cases, organizations may even go so far as to ban employees from even having accounts! Think about all the press something like that would get. If anything, it would certainly raise questions regarding the risks of facebook and their services.
I exaggerate a bit with this post's title. Chances are this would not kill facebook....but it would certainly cost them money. Not only that, this concept also turns facebook into a powerful weapon to target other organizations. It could cause these organizations devastating financial and information losses.
It is becoming apparent that social media and virtual relationships have serious security implications for individuals and their organizations. These trends begin to pose the security questions of tomorrow.
How to Leverage Virtual Worlds to Improve Security
I recently began reading Beautiful Security: Leading Security Experts Explain How Think, in particular chapter 9, Tomorrow's Security Cogs and Levers by Andy Oram and John Viega. The chapter is a great read for any information security professional and thus far my favorite in the book. To develop some context, the chapter begins with...
Information security is not just about technology. It is about people, processes, and
technology, in that order—or more accurately, about connecting people, processes, and
technology together so that humans and entire systems can make informed decisions. It
may at first seem rather odd to start a chapter in a book about the future of security
management technology with a statement that puts the role of technology firmly in third
place, but I felt it was important to put that stake in the ground to provide context for the
rest of this chapter.
Oram and Viega go on to discuss two different types of security people; builders and breakers. Builders are the optimists. Despite recognizing the profound seriousness of security vulnerabilities and dangers we face today, there is still room for encouragement. Breakers, as you can imagine, are the pessimists. "You wonder when listening to some of them, why the Internet hasn't totally collapsed already and why any of us have money left unpilfered in our bank accounts" (Oram & Viega).
Despite drastically different mentalities, there is one simple truth: with innovation, when benefits outweigh drawbacks, innovation almost always succeed. Builders understand this. They understand that new technology, with significant benefits, will move forward and inescapably reveal new security issues. Unlike breakers, who at times can be intimidated by change, builders look to see how novel technologies can be leveraged to improve security.
Every few years the next big thing comes along and polarizes security people into these two philosophical camps (Oram & Viega). We are currently seeing it with Web 2.0 (social networking, wikis, social bookmarking, etc) and roars are beginning to escalate concerning cloud computing. Inevitably we will see the same with virtual worlds. This got me thinking. Wouldn't it be interesting to look at ways in which virtual worlds could improve security? Here are a couple quick ones off the top of my head.....
1) Dramatically improve communication in real-time
The ability to quickly communicate amongst the masses in real-time is very powerful. Twitter has recently made this more apparent than ever. Virtual worlds take real-time communication to a whole new level, incorporating both social context and environmental relevance. These components will improve the clarity of information dissemination and mitigate ambiguity commonly seen in text based communications.
2) Fertile ground for innovative, small businesses to cheaply and more effectively produce novel security solutions
Virtual worlds provide an ideal space for small businesses to form and produce a wide-ranging set of assorted security solutions. This idea encompasses two components. First, virtual worlds provide a cheap environment to bring together intelligent individuals from all over the world. As a result, many effective small businesses will ubiquitously spawn. Second, these small businesses will have concentrated focuses. They will become experts and have an esoteric understanding of individual security components few others will understand. Instead of devising and implementing large, bulky security solutions, enterprise organizations will have a selection of small, more modular components (supplied by small businesses providing in depth, esoteric knowledge) that can be amended to enterprise specific requirements.
3) Provide a neutral site for rich communication between diverse organizations (government agencies, contractors, private businesses, public organizations, etc) to discuss security
A virtual world has the ability to provide an environment, organizationally agnostic, enabled for rich communication amongst a diverse set of organizations with varying goals. What I mean essentially is a neutral virtual environment to bring different groups together, deter motivational bias, and avoid turf battles. Let me once again reiterate, they have the ability to do so. This does not mean a single organization with private property, masked as public, holding information exchanges with additional organizations is in fact a "neutral" site.
These simply are just a few thoughts off of the top of my head. I am sure there are many more. Notice that all leverage the power of collaboration and communication, characteristics virtual environments are best suited to facilitate.
Finally, understanding a conscientious builder mentality can be a driving force in devising secure, innovative solutions with advanced technologies. We should not be scared of what is on the horizon, but rather embrace it, and mold it to our needs and requirements.
