Living the meme

2012-02-01

David Harley

ESET, UK
Editor: Helen Martin

Abstract

‘Some security commentators suggest inventing answers to [security] questions rather than using real data.' David Harley.


Table of contents

One of my friends brought a pair of interesting Facebook memes [1] to my attention recently. They may not seem to have an immediate security connection, but I’ll come to that shortly.

Meme (1) involves the posting of a status update that reads something like ‘I’m going to live in Miami for 21 months’. Curiosity (or research, as it’s described in my job title) led me to discover that the meme relates to the poster’s birthday: 12 geographical locations represent each of the calendar months (e.g. Mexico = January, London = February, Miami = March), and the number of months for which the poster claims to be relocating represents the date of their birthday within that month. So in the example above, the poster’s birthday is 21st March. In another variant, the post reads ‘I’m [n] weeks in and craving [some kind of candy]’ where [n] represents the day and there is another list on which different types of candy represent different months of the year.

I gather that these games are played to raise awareness of breast cancer, though I don’t see how and if this kind of post fits usefully with other gender-oriented fund- and awareness-raising events such as Race For Life [2].

Meme (2) suggests that putting the last three digits of your cell phone number into a string like @[123:0] and adding it to a Facebook comment will return the name of the cell phone. In fact it has nothing to do with your cell phone, unless every device with a number ending in 123 (for example) is called Morgan Grice. The string format (sometimes) represents a numeric array associated with a Facebook account. It doesn’t even have to be a three-digit number: for example, @[4:0] returns ‘Mark Zuckerberg’ and @[21222:0] returns ‘DJ Vas Deferens’ (a shock jock, perhaps).

This is all very amusing, but I promised you some security content. Meme (1) is a pretty good way of letting those who are ‘in on the secret’ know when your birthday is – though your date of birth is likely to be of more use to an attacker when trying to access sensitive data via ‘secret questions’.

Meme (2) is less of an issue: only the most painstaking data aggregation attack will attempt to harvest cell phone numbers one triplet at a time. I’d be more concerned if the suggestion was to use a credit code or iGadget PIN. But nobody would fall for that, would they?

Well, the following is a meme flagged by Graham Cluley [3] around the time of the royal wedding in the UK in 2011, highlighting a security issue with posting details like this:

What’s your royal wedding guest name? 
Start with Lord or Lady. Your first name is one of your grandparent’s names. Your surname is the name 
of your first pet double-barrelled with the name of the street you grew up on.

Secret answers to security questions posed by banking sites and the like as a supplement to passwords, or for people who forget their passwords, are pretty stereotyped. Names of relatives, names of pets, first school, childhood address and so on are highly characteristic, so some security commentators suggest inventing answers to such questions rather than using real data. That’s a logical alternative to inventing your own challenge/response – which is rarely an option – and I’m all in favour of it, as long as it doesn’t contravene some legal or quasi-legal restriction.

Do people lie in their social networking profiles, or when offered a candy bar in exchange for a password? I’m not in favour of dishonesty in general, but if this were general practice, it would suggest a healthily cynical attitude towards organizations who regard us not as customers, but as sources of commoditized data. However, experience with hoaxes shows that when ‘good causes’ like cancer awareness or missing children are involved, scepticism dissolves. I don’t know if any of these memes originate in an attempt at data harvesting, but such attacks would dovetail all too comfortably with the social network’s vested interest in data sharing, and work to an imaginative attacker’s advantage.

Bibliography

[1] Meme: An idea, behaviour, style, or usage that spreads from person to person within a culture. http://www.merriam-webster.com/dictionary/meme.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.