2012-02-01
Abstract
‘Some security commentators suggest inventing answers to [security] questions rather than using real data.' David Harley.
Copyright © 2012 Virus Bulletin
One of my friends brought a pair of interesting Facebook memes [1] to my attention recently. They may not seem to have an immediate security connection, but I’ll come to that shortly.
Meme (1) involves the posting of a status update that reads something like ‘I’m going to live in Miami for 21 months’. Curiosity (or research, as it’s described in my job title) led me to discover that the meme relates to the poster’s birthday: 12 geographical locations represent each of the calendar months (e.g. Mexico = January, London = February, Miami = March), and the number of months for which the poster claims to be relocating represents the date of their birthday within that month. So in the example above, the poster’s birthday is 21st March. In another variant, the post reads ‘I’m [n] weeks in and craving [some kind of candy]’ where [n] represents the day and there is another list on which different types of candy represent different months of the year.
I gather that these games are played to raise awareness of breast cancer, though I don’t see how and if this kind of post fits usefully with other gender-oriented fund- and awareness-raising events such as Race For Life [2].
Meme (2) suggests that putting the last three digits of your cell phone number into a string like @[123:0] and adding it to a Facebook comment will return the name of the cell phone. In fact it has nothing to do with your cell phone, unless every device with a number ending in 123 (for example) is called Morgan Grice. The string format (sometimes) represents a numeric array associated with a Facebook account. It doesn’t even have to be a three-digit number: for example, @[4:0] returns ‘Mark Zuckerberg’ and @[21222:0] returns ‘DJ Vas Deferens’ (a shock jock, perhaps).
This is all very amusing, but I promised you some security content. Meme (1) is a pretty good way of letting those who are ‘in on the secret’ know when your birthday is – though your date of birth is likely to be of more use to an attacker when trying to access sensitive data via ‘secret questions’.
Meme (2) is less of an issue: only the most painstaking data aggregation attack will attempt to harvest cell phone numbers one triplet at a time. I’d be more concerned if the suggestion was to use a credit code or iGadget PIN. But nobody would fall for that, would they?
Well, the following is a meme flagged by Graham Cluley [3] around the time of the royal wedding in the UK in 2011, highlighting a security issue with posting details like this:
What’s your royal wedding guest name? Start with Lord or Lady. Your first name is one of your grandparent’s names. Your surname is the name of your first pet double-barrelled with the name of the street you grew up on.
Secret answers to security questions posed by banking sites and the like as a supplement to passwords, or for people who forget their passwords, are pretty stereotyped. Names of relatives, names of pets, first school, childhood address and so on are highly characteristic, so some security commentators suggest inventing answers to such questions rather than using real data. That’s a logical alternative to inventing your own challenge/response – which is rarely an option – and I’m all in favour of it, as long as it doesn’t contravene some legal or quasi-legal restriction.
Do people lie in their social networking profiles, or when offered a candy bar in exchange for a password? I’m not in favour of dishonesty in general, but if this were general practice, it would suggest a healthily cynical attitude towards organizations who regard us not as customers, but as sources of commoditized data. However, experience with hoaxes shows that when ‘good causes’ like cancer awareness or missing children are involved, scepticism dissolves. I don’t know if any of these memes originate in an attempt at data harvesting, but such attacks would dovetail all too comfortably with the social network’s vested interest in data sharing, and work to an imaginative attacker’s advantage.
[1] Meme: An idea, behaviour, style, or usage that spreads from person to person within a culture. http://www.merriam-webster.com/dictionary/meme.